ci: force bash shell for all workflow steps

Self-hosted runner defaults to PowerShell on Windows, causing bash
syntax (if/then/fi, curl line continuations) to fail with parse errors.
Setting defaults.run.shell=bash at workflow level fixes all steps.

.github/workflows/deploy.yml

@@ -17,9 +17,13 @@ on:
       - 'docs/**'
 
 concurrency:
-  group: deploy
+  group: deploy-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
 
+defaults:
+  run:
+    shell: bash
+
 env:
   FORCE_JAVASCRIPT_ACTIONS_TO_NODE24: true
 
@@ -41,10 +45,10 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Set up Go 1.22
-        uses: actions/setup-go@v5
+        uses: actions/setup-go@v6
         with:
           go-version: '1.22'
           cache-dependency-path: |
@@ -122,9 +126,16 @@ jobs:
           echo "| Server | ${SERVER_COV}% |" >> $GITHUB_STEP_SUMMARY
           echo "| Ingestor | ${INGESTOR_COV}% |" >> $GITHUB_STEP_SUMMARY
 
+      - name: Cancel workflow on failure
+        if: failure()
+        run: |
+          curl -s -X POST \
+            -H "Authorization: Bearer ${{ github.token }}" \
+            "https://api.github.com/repos/${{ github.repository }}/actions/runs/${{ github.run_id }}/cancel"
+
       - name: Upload Go coverage badges
         if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
         with:
           name: go-badges
           path: .badges/go-*.json
@@ -136,15 +147,15 @@ jobs:
   # ───────────────────────────────────────────────────────────────
   node-test:
     name: "🧪 Node.js Tests"
-    runs-on: self-hosted
+    runs-on: [self-hosted, Linux]
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
         with:
           fetch-depth: 2
 
       - name: Set up Node.js 22
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v5
         with:
           node-version: '22'
 
@@ -263,9 +274,16 @@ jobs:
           BASE_URL=http://localhost:13581 node test-e2e-playwright.js || true
           kill $SERVER_PID 2>/dev/null || true
 
+      - name: Cancel workflow on failure
+        if: failure()
+        run: |
+          curl -s -X POST \
+            -H "Authorization: Bearer ${{ github.token }}" \
+            "https://api.github.com/repos/${{ github.repository }}/actions/runs/${{ github.run_id }}/cancel"
+
       - name: Upload Node.js test badges
         if: always()
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
         with:
           name: node-badges
           path: .badges/
@@ -278,14 +296,14 @@ jobs:
   build:
     name: "🏗️ Build Docker Image"
     if: github.event_name == 'push'
-    needs: [go-test]
-    runs-on: self-hosted
+    needs: [go-test, node-test]
+    runs-on: [self-hosted, Linux]
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Set up Node.js 22
-        uses: actions/setup-node@v4
+        uses: actions/setup-node@v5
         with:
           node-version: '22'
 
@@ -304,10 +322,10 @@ jobs:
     name: "🚀 Deploy Staging"
     if: github.event_name == 'push'
     needs: [build]
-    runs-on: self-hosted
+    runs-on: [self-hosted, Linux]
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Start staging on port 82
         run: |
@@ -349,21 +367,21 @@ jobs:
     name: "📝 Publish Badges & Summary"
     if: github.event_name == 'push'
     needs: [deploy]
-    runs-on: self-hosted
+    runs-on: [self-hosted, Linux]
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@v5
 
       - name: Download Go coverage badges
         continue-on-error: true
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v5
         with:
           name: go-badges
           path: .badges/
 
       - name: Download Node.js test badges
         continue-on-error: true
-        uses: actions/download-artifact@v4
+        uses: actions/download-artifact@v5
         with:
           name: node-badges
           path: .badges/

RELEASE-v3.1.0.md

@@ -0,0 +1,144 @@
+# v3.1.0 — Now It's CoreScope
+
+MeshCore Analyzer has a new name: **CoreScope**. Same mesh analysis you rely on, sharper identity, and a boatload of fixes and performance wins since v3.0.0.
+
+48 commits, 30+ issues closed. Here's what changed.
+
+---
+
+## 🏷️ Renamed to CoreScope
+
+The project is now **CoreScope** — frontend, backend, Docker images, manage.sh, docs, CI — everything has been updated. The URL, the API, the database, and your config all stay the same. Just a better name for the tool the community built.
+
+---
+
+## ⚡ Performance
+
+| What | Before | After |
+|------|--------|-------|
+| Subpath analytics | 900 ms | **5 ms** (precomputed at ingest) |
+| Distance analytics | 1.2 s | **15 ms** (precomputed at ingest) |
+| Packet ingest (prepend) | O(n) slice copy | **O(1) append** |
+| Go runtime stats | GC stop-the-world on every call | **cached ReadMemStats** |
+| All analytics endpoints | computed per-request | **TTL-cached** |
+
+The in-memory store now precomputes subpaths and distance data as packets arrive, eliminating expensive full-table scans on the analytics endpoints. The O(n) slice prepend on every ingest — the single hottest line in the server — is gone. `ReadMemStats` calls are cached to prevent GC pause spikes under load.
+
+---
+
+## 🆕 New Features
+
+### Telemetry Decode
+Sensor nodes now report **battery voltage** and **temperature** parsed from advert payloads. Telemetry is gated on the sensor flag — only real sensors emit data, and 0°C is no longer falsely reported. Safe migration with `PRAGMA` column checks.
+
+### Channel Decryption for Custom Channels
+The `hashChannels` config now works in the Go ingestor. Key derivation has been ported from Node.js with full AES-128-ECB support and garbage text detection — wrong keys silently fail instead of producing garbled output.
+
+### Node Pruning
+Stale nodes are automatically moved to an `inactive_nodes` table after the configurable retention window. Pruning runs hourly. Your active node list stays clean. (#202)
+
+### Duplicate Node Name Badges
+Nodes with the same display name but different public keys are flagged with a badge so you can spot collisions instantly.
+
+### Sortable Channels Table
+Channel columns are now sortable with click-to-sort headers. Sort preferences persist in `localStorage` across sessions. (#167)
+
+### Go Runtime Metrics
+The performance page exposes goroutine count, heap allocation, GC pause percentiles, and memory breakdown when connected to a Go backend.
+
+---
+
+## 🐛 Bug Fixes
+
+- **Channel decryption regression** (#176) — full AES-128-ECB in Go, garbage text detection, hashChannels key derivation ported correctly (#218)
+- **Packets page not live-updating** (#172) — WebSocket broadcast now includes the nested packet object and timestamp fields the frontend expects; multiple fixes across broadcast and render paths
+- **Node detail page crashes** (#190) — `Number()` casts and `Array.isArray` guards prevent rendering errors on unexpected data shapes
+- **Observation count staleness** (#174) — trace page and packet detail now show correct observation counts
+- **Phantom node cleanup** (#133) — `autoLearnHopNodes` no longer creates fake nodes from 1-byte repeater IDs
+- **Advert count inflation** (#200) — counts unique transmissions, not total observations (8 observers × 1 advert = 1, not 8)
+- **SQLite BUSY contention** (#214) — `MaxOpenConns(1)` + `MaxIdleConns(1)` serializes writes; load-tested under concurrent ingest
+- **Decoder bounds check** (#183) — corrupt/malformed packets no longer crash the decoder with buffer overruns
+- **noise_floor / battery_mv type mismatches** — consistent `float64` scanning handles SQLite REAL values correctly
+- **packetsLastHour always zero** (#182) — early `break` in observer loop prevented counting
+- **Channels stale messages** (#171) — latest message sorted by observation timestamp, not first-seen
+- **pprof port conflict** — non-fatal bind with separate ports prevents Go server crash on startup
+
+---
+
+## ♿ Accessibility & 📱 Mobile
+
+### WCAG AA Compliance (10 fixes)
+- Search results keyboard-accessible with `tabindex`, `role`, and arrow-key navigation (#208)
+- 40+ table headers given `scope` attributes (#211)
+- 9 Chart.js canvases given accessible names (#210)
+- Form inputs in customizer/filters paired with labels (#212)
+
+### Mobile Responsive
+- **Live page**: bottom-sheet panel instead of full-screen overlay (#203)
+- **Perf page**: responsive layout with stacked cards (#204)
+- **Nodes table**: column hiding at narrow viewports (#205)
+- **Analytics/Compare**: horizontal scroll wrappers (#206)
+- **VCR bar**: 44px minimum touch targets (#207)
+
+---
+
+## 🏗️ Infrastructure
+
+### manage.sh Refactored (#230)
+`manage.sh` is now a thin wrapper around `docker compose` — no custom container management, no divergent logic. It reads `.env` for data paths, matching how `docker-compose.yml` works. One source of truth.
+
+### .env Support
+Data directory, ports, and image tags are configured via `.env`. Both `docker compose` and `manage.sh` read the same file.
+
+### Branch Protection & CI on PRs
+- Branch protection enabled on `master` — CI must pass, PRs required
+- CI now triggers on `pull_request`, not just `push` — catch failures before merge (#199)
+
+### Protobuf API Contract
+10 `.proto` files, 33 golden fixtures, CI validation on every push. API shape drift is caught automatically.
+
+### pprof Profiling
+Controlled by `ENABLE_PPROF` env var. When enabled, exposes Go profiling endpoints on separate ports — zero overhead when off.
+
+### Test Coverage
+- Go backend: **92%+** coverage
+- **49 Playwright E2E tests**
+- Both tracks gate deploy in CI
+
+---
+
+## 📦 Upgrading
+
+```bash
+git pull
+./manage.sh stop
+./manage.sh setup
+```
+
+That's it. Your existing `config.json` and database work as-is. The rename is cosmetic — no schema changes, no API changes, no config changes.
+
+### Verify
+
+```bash
+curl -s http://localhost/api/health | grep engine
+# "engine": "go"
+```
+
+---
+
+## ⚠️ Breaking Changes
+
+**None.** All API endpoints, WebSocket messages, and config options are backwards-compatible. The rename affects branding only — Docker image names, page titles, and documentation.
+
+---
+
+## 🙏 Thank You
+
+- **efiten** — PR #222 performance fix (O(n) slice prepend elimination)
+- **jade-on-mesh**, **lincomatic**, **LitBomb**, **mibzzer15** — ongoing testing, feedback, and issue reports
+
+And to everyone running CoreScope on their mesh networks — your real-world data drives every fix and feature in this release. 48 commits since v3.0.0, and every one of them came from something the community found, reported, or requested.
+
+---
+
+*Previous release: [v3.0.0](RELEASE-v3.0.0.md)*

cmd/ingestor/decoder.go

@@ -72,8 +72,8 @@ type Header struct {
 
 // TransportCodes are present on TRANSPORT_FLOOD and TRANSPORT_DIRECT routes.
 type TransportCodes struct {
-	NextHop string `json:"nextHop"`
-	LastHop string `json:"lastHop"`
+	Code1 string `json:"code1"`
+	Code2 string `json:"code2"`
 }
 
 // Path holds decoded path/hop information.
@@ -92,6 +92,8 @@ type AdvertFlags struct {
 	Room        bool `json:"room"`
 	Sensor      bool `json:"sensor"`
 	HasLocation bool `json:"hasLocation"`
+	HasFeat1    bool `json:"hasFeat1"`
+	HasFeat2    bool `json:"hasFeat2"`
 	HasName     bool `json:"hasName"`
 }
 
@@ -111,6 +113,8 @@ type Payload struct {
 	Lat           *float64     `json:"lat,omitempty"`
 	Lon           *float64     `json:"lon,omitempty"`
 	Name          string       `json:"name,omitempty"`
+	Feat1         *int         `json:"feat1,omitempty"`
+	Feat2         *int         `json:"feat2,omitempty"`
 	BatteryMv     *int         `json:"battery_mv,omitempty"`
 	TemperatureC  *float64     `json:"temperature_c,omitempty"`
 	ChannelHash   int          `json:"channelHash,omitempty"`
@@ -123,6 +127,8 @@ type Payload struct {
 	EphemeralPubKey string     `json:"ephemeralPubKey,omitempty"`
 	PathData      string       `json:"pathData,omitempty"`
 	Tag           uint32       `json:"tag,omitempty"`
+	AuthCode      uint32       `json:"authCode,omitempty"`
+	TraceFlags    *int         `json:"traceFlags,omitempty"`
 	RawHex        string       `json:"raw,omitempty"`
 	Error         string       `json:"error,omitempty"`
 }
@@ -199,14 +205,13 @@ func decodeEncryptedPayload(typeName string, buf []byte) Payload {
 }
 
 func decodeAck(buf []byte) Payload {
-	if len(buf) < 6 {
+	if len(buf) < 4 {
 		return Payload{Type: "ACK", Error: "too short", RawHex: hex.EncodeToString(buf)}
 	}
+	checksum := binary.LittleEndian.Uint32(buf[0:4])
 	return Payload{
 		Type:      "ACK",
-		DestHash:  hex.EncodeToString(buf[0:1]),
-		SrcHash:   hex.EncodeToString(buf[1:2]),
-		ExtraHash: hex.EncodeToString(buf[2:6]),
+		ExtraHash: fmt.Sprintf("%08x", checksum),
 	}
 }
 
@@ -231,6 +236,8 @@ func decodeAdvert(buf []byte) Payload {
 	if len(appdata) > 0 {
 		flags := appdata[0]
 		advType := int(flags & 0x0F)
+		hasFeat1 := flags&0x20 != 0
+		hasFeat2 := flags&0x40 != 0
 		p.Flags = &AdvertFlags{
 			Raw:         int(flags),
 			Type:        advType,
@@ -239,6 +246,8 @@ func decodeAdvert(buf []byte) Payload {
 			Room:        advType == 3,
 			Sensor:      advType == 4,
 			HasLocation: flags&0x10 != 0,
+			HasFeat1:    hasFeat1,
+			HasFeat2:    hasFeat2,
 			HasName:     flags&0x80 != 0,
 		}
 
@@ -252,6 +261,16 @@ func decodeAdvert(buf []byte) Payload {
 			p.Lon = &lon
 			off += 8
 		}
+		if hasFeat1 && len(appdata) >= off+2 {
+			feat1 := int(binary.LittleEndian.Uint16(appdata[off : off+2]))
+			p.Feat1 = &feat1
+			off += 2
+		}
+		if hasFeat2 && len(appdata) >= off+2 {
+			feat2 := int(binary.LittleEndian.Uint16(appdata[off : off+2]))
+			p.Feat2 = &feat2
+			off += 2
+		}
 		if p.Flags.HasName {
 			// Find null terminator to separate name from trailing telemetry bytes
 			nameEnd := len(appdata)
@@ -469,15 +488,22 @@ func decodePathPayload(buf []byte) Payload {
 }
 
 func decodeTrace(buf []byte) Payload {
-	if len(buf) < 12 {
+	if len(buf) < 9 {
 		return Payload{Type: "TRACE", Error: "too short", RawHex: hex.EncodeToString(buf)}
 	}
-	return Payload{
-		Type:     "TRACE",
-		DestHash: hex.EncodeToString(buf[5:11]),
-		SrcHash:  hex.EncodeToString(buf[11:12]),
-		Tag:      binary.LittleEndian.Uint32(buf[1:5]),
+	tag := binary.LittleEndian.Uint32(buf[0:4])
+	authCode := binary.LittleEndian.Uint32(buf[4:8])
+	flags := int(buf[8])
+	p := Payload{
+		Type:       "TRACE",
+		Tag:        tag,
+		AuthCode:   authCode,
+		TraceFlags: &flags,
 	}
+	if len(buf) > 9 {
+		p.PathData = hex.EncodeToString(buf[9:])
+	}
+	return p
 }
 
 func decodePayload(payloadType int, buf []byte, channelKeys map[string]string) Payload {
@@ -520,8 +546,7 @@ func DecodePacket(hexString string, channelKeys map[string]string) (*DecodedPack
 	}
 
 	header := decodeHeader(buf[0])
-	pathByte := buf[1]
-	offset := 2
+	offset := 1
 
 	var tc *TransportCodes
 	if isTransportRoute(header.RouteType) {
@@ -529,12 +554,18 @@ func DecodePacket(hexString string, channelKeys map[string]string) (*DecodedPack
 			return nil, fmt.Errorf("packet too short for transport codes")
 		}
 		tc = &TransportCodes{
-			NextHop: strings.ToUpper(hex.EncodeToString(buf[offset : offset+2])),
-			LastHop: strings.ToUpper(hex.EncodeToString(buf[offset+2 : offset+4])),
+			Code1: strings.ToUpper(hex.EncodeToString(buf[offset : offset+2])),
+			Code2: strings.ToUpper(hex.EncodeToString(buf[offset+2 : offset+4])),
 		}
 		offset += 4
 	}
 
+	if offset >= len(buf) {
+		return nil, fmt.Errorf("packet too short (no path byte)")
+	}
+	pathByte := buf[offset]
+	offset++
+
 	path, bytesConsumed := decodePath(pathByte, buf, offset)
 	offset += bytesConsumed
 
@@ -562,16 +593,24 @@ func ComputeContentHash(rawHex string) string {
 		return rawHex
 	}
 
-	pathByte := buf[1]
+	headerByte := buf[0]
+	offset := 1
+	if isTransportRoute(int(headerByte & 0x03)) {
+		offset += 4
+	}
+	if offset >= len(buf) {
+		if len(rawHex) >= 16 {
+			return rawHex[:16]
+		}
+		return rawHex
+	}
+	pathByte := buf[offset]
+	offset++
 	hashSize := int((pathByte>>6)&0x3) + 1
 	hashCount := int(pathByte & 0x3F)
 	pathBytes := hashSize * hashCount
 
-	headerByte := buf[0]
-	payloadStart := 2 + pathBytes
-	if isTransportRoute(int(headerByte & 0x03)) {
-		payloadStart += 4
-	}
+	payloadStart := offset + pathBytes
 	if payloadStart > len(buf) {
 		if len(rawHex) >= 16 {
 			return rawHex[:16]

cmd/ingestor/decoder_test.go

@@ -129,7 +129,8 @@ func TestDecodePath3ByteHashes(t *testing.T) {
 
 func TestTransportCodes(t *testing.T) {
 	// Route type 0 (TRANSPORT_FLOOD) should have transport codes
-	hex := "1400" + "AABB" + "CCDD" + "1A" + strings.Repeat("00", 10)
+	// Firmware order: header + transport_codes(4) + path_len + path + payload
+	hex := "14" + "AABB" + "CCDD" + "00" + strings.Repeat("00", 10)
 	pkt, err := DecodePacket(hex, nil)
 	if err != nil {
 		t.Fatal(err)
@@ -140,11 +141,11 @@ func TestTransportCodes(t *testing.T) {
 	if pkt.TransportCodes == nil {
 		t.Fatal("transportCodes should not be nil for TRANSPORT_FLOOD")
 	}
-	if pkt.TransportCodes.NextHop != "AABB" {
-		t.Errorf("nextHop=%s, want AABB", pkt.TransportCodes.NextHop)
+	if pkt.TransportCodes.Code1 != "AABB" {
+		t.Errorf("code1=%s, want AABB", pkt.TransportCodes.Code1)
 	}
-	if pkt.TransportCodes.LastHop != "CCDD" {
-		t.Errorf("lastHop=%s, want CCDD", pkt.TransportCodes.LastHop)
+	if pkt.TransportCodes.Code2 != "CCDD" {
+		t.Errorf("code2=%s, want CCDD", pkt.TransportCodes.Code2)
 	}
 
 	// Route type 1 (FLOOD) should NOT have transport codes
@@ -537,10 +538,11 @@ func TestDecodeTraceShort(t *testing.T) {
 
 func TestDecodeTraceValid(t *testing.T) {
 	buf := make([]byte, 16)
-	buf[0] = 0x00
-	buf[1] = 0x01 // tag LE uint32 = 1
-	buf[5] = 0xAA // destHash start
-	buf[11] = 0xBB
+	// tag(4) + authCode(4) + flags(1) + pathData
+	binary.LittleEndian.PutUint32(buf[0:4], 1)          // tag = 1
+	binary.LittleEndian.PutUint32(buf[4:8], 0xDEADBEEF) // authCode
+	buf[8] = 0x02                                         // flags
+	buf[9] = 0xAA                                         // path data
 	p := decodeTrace(buf)
 	if p.Error != "" {
 		t.Errorf("unexpected error: %s", p.Error)
@@ -548,9 +550,18 @@ func TestDecodeTraceValid(t *testing.T) {
 	if p.Tag != 1 {
 		t.Errorf("tag=%d, want 1", p.Tag)
 	}
+	if p.AuthCode != 0xDEADBEEF {
+		t.Errorf("authCode=%d, want 0xDEADBEEF", p.AuthCode)
+	}
+	if p.TraceFlags == nil || *p.TraceFlags != 2 {
+		t.Errorf("traceFlags=%v, want 2", p.TraceFlags)
+	}
 	if p.Type != "TRACE" {
 		t.Errorf("type=%s, want TRACE", p.Type)
 	}
+	if p.PathData == "" {
+		t.Error("pathData should not be empty")
+	}
 }
 
 func TestDecodeAdvertShort(t *testing.T) {
@@ -833,10 +844,9 @@ func TestComputeContentHashShortHex(t *testing.T) {
 }
 
 func TestComputeContentHashTransportRoute(t *testing.T) {
-	// Route type 0 (TRANSPORT_FLOOD) with no path hops + 4 transport code bytes
-	// header=0x14 (TRANSPORT_FLOOD, ADVERT), path=0x00 (0 hops)
-	// transport codes = 4 bytes, then payload
-	hex := "1400" + "AABBCCDD" + strings.Repeat("EE", 10)
+	// Route type 0 (TRANSPORT_FLOOD) with transport codes then path=0x00 (0 hops)
+	// header=0x14 (TRANSPORT_FLOOD, ADVERT), transport(4), path=0x00
+	hex := "14" + "AABBCCDD" + "00" + strings.Repeat("EE", 10)
 	hash := ComputeContentHash(hex)
 	if len(hash) != 16 {
 		t.Errorf("hash length=%d, want 16", len(hash))
@@ -870,12 +880,10 @@ func TestComputeContentHashPayloadBeyondBufferLongHex(t *testing.T) {
 
 func TestComputeContentHashTransportBeyondBuffer(t *testing.T) {
 	// Transport route (0x00 = TRANSPORT_FLOOD) with path claiming some bytes
-	// total buffer too short for transport codes + path
-	// header=0x00, pathByte=0x02 (2 hops, 1-byte hash), then only 2 more bytes
-	// payloadStart = 2 + 2 + 4(transport) = 8, but buffer only 6 bytes
-	hex := "0002" + "AABB" + strings.Repeat("CC", 6) // 20 chars = 10 bytes
+	// header=0x00, transport(4), pathByte=0x02 (2 hops, 1-byte hash)
+	// offset=1+4+1+2=8, buffer needs to be >= 8
+	hex := "00" + "AABB" + "CCDD" + "02" + strings.Repeat("CC", 6) // 20 chars = 10 bytes  
 	hash := ComputeContentHash(hex)
-	// payloadStart = 2 + 2 + 4 = 8, buffer is 10 bytes → should work
 	if len(hash) != 16 {
 		t.Errorf("hash length=%d, want 16", len(hash))
 	}
@@ -913,8 +921,8 @@ func TestDecodePacketWithNewlines(t *testing.T) {
 }
 
 func TestDecodePacketTransportRouteTooShort(t *testing.T) {
-	// TRANSPORT_FLOOD (route=0) but only 3 bytes total → too short for transport codes
-	_, err := DecodePacket("140011", nil)
+	// TRANSPORT_FLOOD (route=0) but only 2 bytes total → too short for transport codes
+	_, err := DecodePacket("1400", nil)
 	if err == nil {
 		t.Error("expected error for transport route with too-short buffer")
 	}
@@ -931,16 +939,19 @@ func TestDecodeAckShort(t *testing.T) {
 }
 
 func TestDecodeAckValid(t *testing.T) {
-	buf := []byte{0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF}
+	buf := []byte{0xAA, 0xBB, 0xCC, 0xDD}
 	p := decodeAck(buf)
 	if p.Error != "" {
 		t.Errorf("unexpected error: %s", p.Error)
 	}
-	if p.DestHash != "aa" {
-		t.Errorf("destHash=%s, want aa", p.DestHash)
+	if p.ExtraHash != "ddccbbaa" {
+		t.Errorf("extraHash=%s, want ddccbbaa", p.ExtraHash)
 	}
-	if p.ExtraHash != "ccddeeff" {
-		t.Errorf("extraHash=%s, want ccddeeff", p.ExtraHash)
+	if p.DestHash != "" {
+		t.Errorf("destHash should be empty, got %s", p.DestHash)
+	}
+	if p.SrcHash != "" {
+		t.Errorf("srcHash should be empty, got %s", p.SrcHash)
 	}
 }
 

cmd/server/db_test.go

@@ -17,6 +17,8 @@ func setupTestDB(t *testing.T) *DB {
 	if err != nil {
 		t.Fatal(err)
 	}
+	// Force single connection so all goroutines share the same in-memory DB
+	conn.SetMaxOpenConns(1)
 
 	// Create schema matching MeshCore Analyzer v3
 	schema := `

cmd/server/decoder.go

@@ -54,8 +54,8 @@ type Header struct {
 
 // TransportCodes are present on TRANSPORT_FLOOD and TRANSPORT_DIRECT routes.
 type TransportCodes struct {
-	NextHop string `json:"nextHop"`
-	LastHop string `json:"lastHop"`
+	Code1 string `json:"code1"`
+	Code2 string `json:"code2"`
 }
 
 // Path holds decoded path/hop information.
@@ -74,6 +74,8 @@ type AdvertFlags struct {
 	Room        bool `json:"room"`
 	Sensor      bool `json:"sensor"`
 	HasLocation bool `json:"hasLocation"`
+	HasFeat1    bool `json:"hasFeat1"`
+	HasFeat2    bool `json:"hasFeat2"`
 	HasName     bool `json:"hasName"`
 }
 
@@ -97,6 +99,8 @@ type Payload struct {
 	EphemeralPubKey string       `json:"ephemeralPubKey,omitempty"`
 	PathData        string       `json:"pathData,omitempty"`
 	Tag             uint32       `json:"tag,omitempty"`
+	AuthCode        uint32       `json:"authCode,omitempty"`
+	TraceFlags      *int         `json:"traceFlags,omitempty"`
 	RawHex          string       `json:"raw,omitempty"`
 	Error           string       `json:"error,omitempty"`
 }
@@ -173,14 +177,13 @@ func decodeEncryptedPayload(typeName string, buf []byte) Payload {
 }
 
 func decodeAck(buf []byte) Payload {
-	if len(buf) < 6 {
+	if len(buf) < 4 {
 		return Payload{Type: "ACK", Error: "too short", RawHex: hex.EncodeToString(buf)}
 	}
+	checksum := binary.LittleEndian.Uint32(buf[0:4])
 	return Payload{
 		Type:      "ACK",
-		DestHash:  hex.EncodeToString(buf[0:1]),
-		SrcHash:   hex.EncodeToString(buf[1:2]),
-		ExtraHash: hex.EncodeToString(buf[2:6]),
+		ExtraHash: fmt.Sprintf("%08x", checksum),
 	}
 }
 
@@ -205,6 +208,8 @@ func decodeAdvert(buf []byte) Payload {
 	if len(appdata) > 0 {
 		flags := appdata[0]
 		advType := int(flags & 0x0F)
+		hasFeat1 := flags&0x20 != 0
+		hasFeat2 := flags&0x40 != 0
 		p.Flags = &AdvertFlags{
 			Raw:         int(flags),
 			Type:        advType,
@@ -213,6 +218,8 @@ func decodeAdvert(buf []byte) Payload {
 			Room:        advType == 3,
 			Sensor:      advType == 4,
 			HasLocation: flags&0x10 != 0,
+			HasFeat1:    hasFeat1,
+			HasFeat2:    hasFeat2,
 			HasName:     flags&0x80 != 0,
 		}
 
@@ -226,6 +233,12 @@ func decodeAdvert(buf []byte) Payload {
 			p.Lon = &lon
 			off += 8
 		}
+		if hasFeat1 && len(appdata) >= off+2 {
+			off += 2  // skip feat1 bytes (reserved for future use)
+		}
+		if hasFeat2 && len(appdata) >= off+2 {
+			off += 2  // skip feat2 bytes (reserved for future use)
+		}
 		if p.Flags.HasName {
 			name := string(appdata[off:])
 			name = strings.TrimRight(name, "\x00")
@@ -276,15 +289,22 @@ func decodePathPayload(buf []byte) Payload {
 }
 
 func decodeTrace(buf []byte) Payload {
-	if len(buf) < 12 {
+	if len(buf) < 9 {
 		return Payload{Type: "TRACE", Error: "too short", RawHex: hex.EncodeToString(buf)}
 	}
-	return Payload{
-		Type:     "TRACE",
-		DestHash: hex.EncodeToString(buf[5:11]),
-		SrcHash:  hex.EncodeToString(buf[11:12]),
-		Tag:      binary.LittleEndian.Uint32(buf[1:5]),
+	tag := binary.LittleEndian.Uint32(buf[0:4])
+	authCode := binary.LittleEndian.Uint32(buf[4:8])
+	flags := int(buf[8])
+	p := Payload{
+		Type:       "TRACE",
+		Tag:        tag,
+		AuthCode:   authCode,
+		TraceFlags: &flags,
 	}
+	if len(buf) > 9 {
+		p.PathData = hex.EncodeToString(buf[9:])
+	}
+	return p
 }
 
 func decodePayload(payloadType int, buf []byte) Payload {
@@ -327,8 +347,7 @@ func DecodePacket(hexString string) (*DecodedPacket, error) {
 	}
 
 	header := decodeHeader(buf[0])
-	pathByte := buf[1]
-	offset := 2
+	offset := 1
 
 	var tc *TransportCodes
 	if isTransportRoute(header.RouteType) {
@@ -336,12 +355,18 @@ func DecodePacket(hexString string) (*DecodedPacket, error) {
 			return nil, fmt.Errorf("packet too short for transport codes")
 		}
 		tc = &TransportCodes{
-			NextHop: strings.ToUpper(hex.EncodeToString(buf[offset : offset+2])),
-			LastHop: strings.ToUpper(hex.EncodeToString(buf[offset+2 : offset+4])),
+			Code1: strings.ToUpper(hex.EncodeToString(buf[offset : offset+2])),
+			Code2: strings.ToUpper(hex.EncodeToString(buf[offset+2 : offset+4])),
 		}
 		offset += 4
 	}
 
+	if offset >= len(buf) {
+		return nil, fmt.Errorf("packet too short (no path byte)")
+	}
+	pathByte := buf[offset]
+	offset++
+
 	path, bytesConsumed := decodePath(pathByte, buf, offset)
 	offset += bytesConsumed
 
@@ -367,16 +392,24 @@ func ComputeContentHash(rawHex string) string {
 		return rawHex
 	}
 
-	pathByte := buf[1]
+	headerByte := buf[0]
+	offset := 1
+	if isTransportRoute(int(headerByte & 0x03)) {
+		offset += 4
+	}
+	if offset >= len(buf) {
+		if len(rawHex) >= 16 {
+			return rawHex[:16]
+		}
+		return rawHex
+	}
+	pathByte := buf[offset]
+	offset++
 	hashSize := int((pathByte>>6)&0x3) + 1
 	hashCount := int(pathByte & 0x3F)
 	pathBytes := hashSize * hashCount
 
-	headerByte := buf[0]
-	payloadStart := 2 + pathBytes
-	if isTransportRoute(int(headerByte & 0x03)) {
-		payloadStart += 4
-	}
+	payloadStart := offset + pathBytes
 	if payloadStart > len(buf) {
 		if len(rawHex) >= 16 {
 			return rawHex[:16]

cmd/server/parity_test.go

@@ -1,403 +1,506 @@
-package main
-
-// parity_test.go — Golden fixture shape tests.
-// Validates that Go API responses match the shape of Node.js API responses.
-// Shapes were captured from the production Node.js server and stored in
-// testdata/golden/shapes.json.
-
-import (
-	"encoding/json"
-	"fmt"
-	"net/http/httptest"
-	"os"
-	"path/filepath"
-	"runtime"
-	"strings"
-	"testing"
-)
-
-// shapeSpec describes the expected JSON structure from the Node.js server.
-type shapeSpec struct {
-	Type        string               `json:"type"`
-	Keys        map[string]shapeSpec `json:"keys,omitempty"`
-	ElementShape *shapeSpec           `json:"elementShape,omitempty"`
-	DynamicKeys  bool                 `json:"dynamicKeys,omitempty"`
-	ValueShape   *shapeSpec           `json:"valueShape,omitempty"`
-	RequiredKeys map[string]shapeSpec `json:"requiredKeys,omitempty"`
-}
-
-// loadShapes reads testdata/golden/shapes.json relative to this source file.
-func loadShapes(t *testing.T) map[string]shapeSpec {
-	t.Helper()
-	_, thisFile, _, _ := runtime.Caller(0)
-	dir := filepath.Dir(thisFile)
-	data, err := os.ReadFile(filepath.Join(dir, "testdata", "golden", "shapes.json"))
-	if err != nil {
-		t.Fatalf("cannot load shapes.json: %v", err)
-	}
-	var shapes map[string]shapeSpec
-	if err := json.Unmarshal(data, &shapes); err != nil {
-		t.Fatalf("cannot parse shapes.json: %v", err)
-	}
-	return shapes
-}
-
-// validateShape recursively checks that `actual` matches the expected `spec`.
-// `path` tracks the JSON path for error messages.
-// Returns a list of mismatch descriptions.
-func validateShape(actual interface{}, spec shapeSpec, path string) []string {
-	var errs []string
-
-	switch spec.Type {
-	case "null", "nullable":
-		// nullable means: value can be null OR matching type. Accept anything.
-		return nil
-	case "nullable_number":
-		// Can be null or number
-		if actual != nil {
-			if _, ok := actual.(float64); !ok {
-				errs = append(errs, fmt.Sprintf("%s: expected number or null, got %T", path, actual))
-			}
-		}
-		return errs
-	case "string":
-		if actual == nil {
-			errs = append(errs, fmt.Sprintf("%s: expected string, got null", path))
-		} else if _, ok := actual.(string); !ok {
-			errs = append(errs, fmt.Sprintf("%s: expected string, got %T", path, actual))
-		}
-	case "number":
-		if actual == nil {
-			errs = append(errs, fmt.Sprintf("%s: expected number, got null", path))
-		} else if _, ok := actual.(float64); !ok {
-			errs = append(errs, fmt.Sprintf("%s: expected number, got %T (%v)", path, actual, actual))
-		}
-	case "boolean":
-		if actual == nil {
-			errs = append(errs, fmt.Sprintf("%s: expected boolean, got null", path))
-		} else if _, ok := actual.(bool); !ok {
-			errs = append(errs, fmt.Sprintf("%s: expected boolean, got %T", path, actual))
-		}
-	case "array":
-		if actual == nil {
-			errs = append(errs, fmt.Sprintf("%s: expected array, got null (arrays must be [] not null)", path))
-			return errs
-		}
-		arr, ok := actual.([]interface{})
-		if !ok {
-			errs = append(errs, fmt.Sprintf("%s: expected array, got %T", path, actual))
-			return errs
-		}
-		if spec.ElementShape != nil && len(arr) > 0 {
-			errs = append(errs, validateShape(arr[0], *spec.ElementShape, path+"[0]")...)
-		}
-	case "object":
-		if actual == nil {
-			errs = append(errs, fmt.Sprintf("%s: expected object, got null", path))
-			return errs
-		}
-		obj, ok := actual.(map[string]interface{})
-		if !ok {
-			errs = append(errs, fmt.Sprintf("%s: expected object, got %T", path, actual))
-			return errs
-		}
-
-		if spec.DynamicKeys {
-			// Object with dynamic keys — validate value shapes
-			if spec.ValueShape != nil && len(obj) > 0 {
-				for k, v := range obj {
-					errs = append(errs, validateShape(v, *spec.ValueShape, path+"."+k)...)
-					break // check just one sample
-				}
-			}
-			if spec.RequiredKeys != nil {
-				for rk, rs := range spec.RequiredKeys {
-					v, exists := obj[rk]
-					if !exists {
-						errs = append(errs, fmt.Sprintf("%s: missing required key %q in dynamic-key object", path, rk))
-					} else {
-						errs = append(errs, validateShape(v, rs, path+"."+rk)...)
-					}
-				}
-			}
-		} else if spec.Keys != nil {
-			// Object with known keys — check each expected key exists and has correct type
-			for key, keySpec := range spec.Keys {
-				val, exists := obj[key]
-				if !exists {
-					errs = append(errs, fmt.Sprintf("%s: missing field %q (expected %s)", path, key, keySpec.Type))
-				} else {
-					errs = append(errs, validateShape(val, keySpec, path+"."+key)...)
-				}
-			}
-		}
-	}
-
-	return errs
-}
-
-// parityEndpoint defines one endpoint to test for parity.
-type parityEndpoint struct {
-	name     string // key in shapes.json
-	path     string // HTTP path to request
-}
-
-func TestParityShapes(t *testing.T) {
-	shapes := loadShapes(t)
-	_, router := setupTestServer(t)
-
-	endpoints := []parityEndpoint{
-		{"stats", "/api/stats"},
-		{"nodes", "/api/nodes?limit=5"},
-		{"packets", "/api/packets?limit=5"},
-		{"packets_grouped", "/api/packets?limit=5&groupByHash=true"},
-		{"observers", "/api/observers"},
-		{"channels", "/api/channels"},
-		{"channel_messages", "/api/channels/0000000000000000/messages?limit=5"},
-		{"analytics_rf", "/api/analytics/rf?days=7"},
-		{"analytics_topology", "/api/analytics/topology?days=7"},
-		{"analytics_hash_sizes", "/api/analytics/hash-sizes?days=7"},
-		{"analytics_distance", "/api/analytics/distance?days=7"},
-		{"analytics_subpaths", "/api/analytics/subpaths?days=7"},
-		{"bulk_health", "/api/nodes/bulk-health"},
-		{"health", "/api/health"},
-		{"perf", "/api/perf"},
-	}
-
-	for _, ep := range endpoints {
-		t.Run("Parity_"+ep.name, func(t *testing.T) {
-			spec, ok := shapes[ep.name]
-			if !ok {
-				t.Fatalf("no shape spec found for %q in shapes.json", ep.name)
-			}
-
-			req := httptest.NewRequest("GET", ep.path, nil)
-			w := httptest.NewRecorder()
-			router.ServeHTTP(w, req)
-
-			if w.Code != 200 {
-				t.Fatalf("GET %s returned %d, expected 200. Body: %s",
-					ep.path, w.Code, w.Body.String())
-			}
-
-			var body interface{}
-			if err := json.Unmarshal(w.Body.Bytes(), &body); err != nil {
-				t.Fatalf("GET %s returned invalid JSON: %v\nBody: %s",
-					ep.path, err, w.Body.String())
-			}
-
-			mismatches := validateShape(body, spec, ep.path)
-			if len(mismatches) > 0 {
-				t.Errorf("Go %s has %d shape mismatches vs Node.js golden:\n  %s",
-					ep.path, len(mismatches), strings.Join(mismatches, "\n  "))
-			}
-		})
-	}
-}
-
-// TestParityNodeDetail tests node detail endpoint shape.
-// Uses a known test node public key from seeded data.
-func TestParityNodeDetail(t *testing.T) {
-	shapes := loadShapes(t)
-	_, router := setupTestServer(t)
-
-	spec, ok := shapes["node_detail"]
-	if !ok {
-		t.Fatal("no shape spec for node_detail in shapes.json")
-	}
-
-	req := httptest.NewRequest("GET", "/api/nodes/aabbccdd11223344", nil)
-	w := httptest.NewRecorder()
-	router.ServeHTTP(w, req)
-
-	if w.Code != 200 {
-		t.Fatalf("node detail returned %d: %s", w.Code, w.Body.String())
-	}
-
-	var body interface{}
-	json.Unmarshal(w.Body.Bytes(), &body)
-
-	mismatches := validateShape(body, spec, "/api/nodes/{pubkey}")
-	if len(mismatches) > 0 {
-		t.Errorf("Go node detail has %d shape mismatches vs Node.js golden:\n  %s",
-			len(mismatches), strings.Join(mismatches, "\n  "))
-	}
-}
-
-// TestParityArraysNotNull verifies that array-typed fields in Go responses are
-// [] (empty array) rather than null. This is a common Go/JSON pitfall where
-// nil slices marshal as null instead of [].
-// Uses shapes.json to know which fields SHOULD be arrays.
-func TestParityArraysNotNull(t *testing.T) {
-	shapes := loadShapes(t)
-	_, router := setupTestServer(t)
-
-	endpoints := []struct {
-		name string
-		path string
-	}{
-		{"stats", "/api/stats"},
-		{"nodes", "/api/nodes?limit=5"},
-		{"packets", "/api/packets?limit=5"},
-		{"packets_grouped", "/api/packets?limit=5&groupByHash=true"},
-		{"observers", "/api/observers"},
-		{"channels", "/api/channels"},
-		{"bulk_health", "/api/nodes/bulk-health"},
-		{"analytics_rf", "/api/analytics/rf?days=7"},
-		{"analytics_topology", "/api/analytics/topology?days=7"},
-		{"analytics_hash_sizes", "/api/analytics/hash-sizes?days=7"},
-		{"analytics_distance", "/api/analytics/distance?days=7"},
-		{"analytics_subpaths", "/api/analytics/subpaths?days=7"},
-	}
-
-	for _, ep := range endpoints {
-		t.Run("NullArrayCheck_"+ep.name, func(t *testing.T) {
-			spec, ok := shapes[ep.name]
-			if !ok {
-				t.Skipf("no shape spec for %s", ep.name)
-			}
-
-			req := httptest.NewRequest("GET", ep.path, nil)
-			w := httptest.NewRecorder()
-			router.ServeHTTP(w, req)
-
-			if w.Code != 200 {
-				t.Skipf("GET %s returned %d, skipping null-array check", ep.path, w.Code)
-			}
-
-			var body interface{}
-			json.Unmarshal(w.Body.Bytes(), &body)
-
-			nullArrays := findNullArrays(body, spec, ep.path)
-			if len(nullArrays) > 0 {
-				t.Errorf("Go %s has null where [] expected:\n  %s\n"+
-					"Go nil slices marshal as null — initialize with make() or literal",
-					ep.path, strings.Join(nullArrays, "\n  "))
-			}
-		})
-	}
-}
-
-// findNullArrays walks JSON data alongside a shape spec and returns paths
-// where the spec says the field should be an array but Go returned null.
-func findNullArrays(actual interface{}, spec shapeSpec, path string) []string {
-	var nulls []string
-
-	switch spec.Type {
-	case "array":
-		if actual == nil {
-			nulls = append(nulls, fmt.Sprintf("%s: null (should be [])", path))
-		} else if arr, ok := actual.([]interface{}); ok && spec.ElementShape != nil {
-			for i, elem := range arr {
-				nulls = append(nulls, findNullArrays(elem, *spec.ElementShape, fmt.Sprintf("%s[%d]", path, i))...)
-			}
-		}
-	case "object":
-		obj, ok := actual.(map[string]interface{})
-		if !ok || obj == nil {
-			return nulls
-		}
-		if spec.Keys != nil {
-			for key, keySpec := range spec.Keys {
-				if val, exists := obj[key]; exists {
-					nulls = append(nulls, findNullArrays(val, keySpec, path+"."+key)...)
-				} else if keySpec.Type == "array" {
-					// Key missing entirely — also a null-array problem
-					nulls = append(nulls, fmt.Sprintf("%s.%s: missing (should be [])", path, key))
-				}
-			}
-		}
-		if spec.DynamicKeys && spec.ValueShape != nil {
-			for k, v := range obj {
-				nulls = append(nulls, findNullArrays(v, *spec.ValueShape, path+"."+k)...)
-				break // sample one
-			}
-		}
-	}
-
-	return nulls
-}
-
-// TestParityHealthEngine verifies Go health endpoint declares engine=go
-// while Node declares engine=node (or omits it). The Go server must always
-// identify itself.
-func TestParityHealthEngine(t *testing.T) {
-	_, router := setupTestServer(t)
-
-	req := httptest.NewRequest("GET", "/api/health", nil)
-	w := httptest.NewRecorder()
-	router.ServeHTTP(w, req)
-
-	var body map[string]interface{}
-	json.Unmarshal(w.Body.Bytes(), &body)
-
-	engine, ok := body["engine"]
-	if !ok {
-		t.Error("health response missing 'engine' field (Go server must include engine=go)")
-	} else if engine != "go" {
-		t.Errorf("health engine=%v, expected 'go'", engine)
-	}
-}
-
-// TestValidateShapeFunction directly tests the shape validator itself.
-func TestValidateShapeFunction(t *testing.T) {
-	t.Run("string match", func(t *testing.T) {
-		errs := validateShape("hello", shapeSpec{Type: "string"}, "$.x")
-		if len(errs) != 0 {
-			t.Errorf("unexpected errors: %v", errs)
-		}
-	})
-
-	t.Run("string mismatch", func(t *testing.T) {
-		errs := validateShape(42.0, shapeSpec{Type: "string"}, "$.x")
-		if len(errs) != 1 {
-			t.Errorf("expected 1 error, got %d: %v", len(errs), errs)
-		}
-	})
-
-	t.Run("null array rejected", func(t *testing.T) {
-		errs := validateShape(nil, shapeSpec{Type: "array"}, "$.arr")
-		if len(errs) != 1 || !strings.Contains(errs[0], "null") {
-			t.Errorf("expected null-array error, got: %v", errs)
-		}
-	})
-
-	t.Run("empty array OK", func(t *testing.T) {
-		errs := validateShape([]interface{}{}, shapeSpec{Type: "array"}, "$.arr")
-		if len(errs) != 0 {
-			t.Errorf("unexpected errors for empty array: %v", errs)
-		}
-	})
-
-	t.Run("missing object key", func(t *testing.T) {
-		spec := shapeSpec{Type: "object", Keys: map[string]shapeSpec{
-			"name": {Type: "string"},
-			"age":  {Type: "number"},
-		}}
-		obj := map[string]interface{}{"name": "test"}
-		errs := validateShape(obj, spec, "$.user")
-		if len(errs) != 1 || !strings.Contains(errs[0], "age") {
-			t.Errorf("expected missing age error, got: %v", errs)
-		}
-	})
-
-	t.Run("nullable allows null", func(t *testing.T) {
-		errs := validateShape(nil, shapeSpec{Type: "nullable"}, "$.x")
-		if len(errs) != 0 {
-			t.Errorf("nullable should accept null: %v", errs)
-		}
-	})
-
-	t.Run("dynamic keys validates value shape", func(t *testing.T) {
-		spec := shapeSpec{
-			Type:        "object",
-			DynamicKeys: true,
-			ValueShape:  &shapeSpec{Type: "number"},
-		}
-		obj := map[string]interface{}{"a": 1.0, "b": 2.0}
-		errs := validateShape(obj, spec, "$.dyn")
-		if len(errs) != 0 {
-			t.Errorf("unexpected errors: %v", errs)
-		}
-	})
-}
+package main
+
+// parity_test.go — Golden fixture shape tests.
+// Validates that Go API responses match the shape of Node.js API responses.
+// Shapes were captured from the production Node.js server and stored in
+// testdata/golden/shapes.json.
+
+import (
+	"encoding/json"
+	"fmt"
+	"net/http/httptest"
+	"os"
+	"path/filepath"
+	"runtime"
+	"sort"
+	"strings"
+	"testing"
+	"time"
+)
+
+// shapeSpec describes the expected JSON structure from the Node.js server.
+type shapeSpec struct {
+	Type         string               `json:"type"`
+	Keys         map[string]shapeSpec `json:"keys,omitempty"`
+	ElementShape *shapeSpec           `json:"elementShape,omitempty"`
+	DynamicKeys  bool                 `json:"dynamicKeys,omitempty"`
+	ValueShape   *shapeSpec           `json:"valueShape,omitempty"`
+	RequiredKeys map[string]shapeSpec `json:"requiredKeys,omitempty"`
+}
+
+// loadShapes reads testdata/golden/shapes.json relative to this source file.
+func loadShapes(t *testing.T) map[string]shapeSpec {
+	t.Helper()
+	_, thisFile, _, _ := runtime.Caller(0)
+	dir := filepath.Dir(thisFile)
+	data, err := os.ReadFile(filepath.Join(dir, "testdata", "golden", "shapes.json"))
+	if err != nil {
+		t.Fatalf("cannot load shapes.json: %v", err)
+	}
+	var shapes map[string]shapeSpec
+	if err := json.Unmarshal(data, &shapes); err != nil {
+		t.Fatalf("cannot parse shapes.json: %v", err)
+	}
+	return shapes
+}
+
+// validateShape recursively checks that `actual` matches the expected `spec`.
+// `path` tracks the JSON path for error messages.
+// Returns a list of mismatch descriptions.
+func validateShape(actual interface{}, spec shapeSpec, path string) []string {
+	var errs []string
+
+	switch spec.Type {
+	case "null", "nullable":
+		// nullable means: value can be null OR matching type. Accept anything.
+		return nil
+	case "nullable_number":
+		// Can be null or number
+		if actual != nil {
+			if _, ok := actual.(float64); !ok {
+				errs = append(errs, fmt.Sprintf("%s: expected number or null, got %T", path, actual))
+			}
+		}
+		return errs
+	case "string":
+		if actual == nil {
+			errs = append(errs, fmt.Sprintf("%s: expected string, got null", path))
+		} else if _, ok := actual.(string); !ok {
+			errs = append(errs, fmt.Sprintf("%s: expected string, got %T", path, actual))
+		}
+	case "number":
+		if actual == nil {
+			errs = append(errs, fmt.Sprintf("%s: expected number, got null", path))
+		} else if _, ok := actual.(float64); !ok {
+			errs = append(errs, fmt.Sprintf("%s: expected number, got %T (%v)", path, actual, actual))
+		}
+	case "boolean":
+		if actual == nil {
+			errs = append(errs, fmt.Sprintf("%s: expected boolean, got null", path))
+		} else if _, ok := actual.(bool); !ok {
+			errs = append(errs, fmt.Sprintf("%s: expected boolean, got %T", path, actual))
+		}
+	case "array":
+		if actual == nil {
+			errs = append(errs, fmt.Sprintf("%s: expected array, got null (arrays must be [] not null)", path))
+			return errs
+		}
+		arr, ok := actual.([]interface{})
+		if !ok {
+			errs = append(errs, fmt.Sprintf("%s: expected array, got %T", path, actual))
+			return errs
+		}
+		if spec.ElementShape != nil && len(arr) > 0 {
+			errs = append(errs, validateShape(arr[0], *spec.ElementShape, path+"[0]")...)
+		}
+	case "object":
+		if actual == nil {
+			errs = append(errs, fmt.Sprintf("%s: expected object, got null", path))
+			return errs
+		}
+		obj, ok := actual.(map[string]interface{})
+		if !ok {
+			errs = append(errs, fmt.Sprintf("%s: expected object, got %T", path, actual))
+			return errs
+		}
+
+		if spec.DynamicKeys {
+			// Object with dynamic keys — validate value shapes
+			if spec.ValueShape != nil && len(obj) > 0 {
+				for k, v := range obj {
+					errs = append(errs, validateShape(v, *spec.ValueShape, path+"."+k)...)
+					break // check just one sample
+				}
+			}
+			if spec.RequiredKeys != nil {
+				for rk, rs := range spec.RequiredKeys {
+					v, exists := obj[rk]
+					if !exists {
+						errs = append(errs, fmt.Sprintf("%s: missing required key %q in dynamic-key object", path, rk))
+					} else {
+						errs = append(errs, validateShape(v, rs, path+"."+rk)...)
+					}
+				}
+			}
+		} else if spec.Keys != nil {
+			// Object with known keys — check each expected key exists and has correct type
+			for key, keySpec := range spec.Keys {
+				val, exists := obj[key]
+				if !exists {
+					errs = append(errs, fmt.Sprintf("%s: missing field %q (expected %s)", path, key, keySpec.Type))
+				} else {
+					errs = append(errs, validateShape(val, keySpec, path+"."+key)...)
+				}
+			}
+		}
+	}
+
+	return errs
+}
+
+// parityEndpoint defines one endpoint to test for parity.
+type parityEndpoint struct {
+	name string // key in shapes.json
+	path string // HTTP path to request
+}
+
+func TestParityShapes(t *testing.T) {
+	shapes := loadShapes(t)
+	_, router := setupTestServer(t)
+
+	endpoints := []parityEndpoint{
+		{"stats", "/api/stats"},
+		{"nodes", "/api/nodes?limit=5"},
+		{"packets", "/api/packets?limit=5"},
+		{"packets_grouped", "/api/packets?limit=5&groupByHash=true"},
+		{"observers", "/api/observers"},
+		{"channels", "/api/channels"},
+		{"channel_messages", "/api/channels/0000000000000000/messages?limit=5"},
+		{"analytics_rf", "/api/analytics/rf?days=7"},
+		{"analytics_topology", "/api/analytics/topology?days=7"},
+		{"analytics_hash_sizes", "/api/analytics/hash-sizes?days=7"},
+		{"analytics_distance", "/api/analytics/distance?days=7"},
+		{"analytics_subpaths", "/api/analytics/subpaths?days=7"},
+		{"bulk_health", "/api/nodes/bulk-health"},
+		{"health", "/api/health"},
+		{"perf", "/api/perf"},
+	}
+
+	for _, ep := range endpoints {
+		t.Run("Parity_"+ep.name, func(t *testing.T) {
+			spec, ok := shapes[ep.name]
+			if !ok {
+				t.Fatalf("no shape spec found for %q in shapes.json", ep.name)
+			}
+
+			req := httptest.NewRequest("GET", ep.path, nil)
+			w := httptest.NewRecorder()
+			router.ServeHTTP(w, req)
+
+			if w.Code != 200 {
+				t.Fatalf("GET %s returned %d, expected 200. Body: %s",
+					ep.path, w.Code, w.Body.String())
+			}
+
+			var body interface{}
+			if err := json.Unmarshal(w.Body.Bytes(), &body); err != nil {
+				t.Fatalf("GET %s returned invalid JSON: %v\nBody: %s",
+					ep.path, err, w.Body.String())
+			}
+
+			mismatches := validateShape(body, spec, ep.path)
+			if len(mismatches) > 0 {
+				t.Errorf("Go %s has %d shape mismatches vs Node.js golden:\n  %s",
+					ep.path, len(mismatches), strings.Join(mismatches, "\n  "))
+			}
+		})
+	}
+}
+
+// TestParityNodeDetail tests node detail endpoint shape.
+// Uses a known test node public key from seeded data.
+func TestParityNodeDetail(t *testing.T) {
+	shapes := loadShapes(t)
+	_, router := setupTestServer(t)
+
+	spec, ok := shapes["node_detail"]
+	if !ok {
+		t.Fatal("no shape spec for node_detail in shapes.json")
+	}
+
+	req := httptest.NewRequest("GET", "/api/nodes/aabbccdd11223344", nil)
+	w := httptest.NewRecorder()
+	router.ServeHTTP(w, req)
+
+	if w.Code != 200 {
+		t.Fatalf("node detail returned %d: %s", w.Code, w.Body.String())
+	}
+
+	var body interface{}
+	json.Unmarshal(w.Body.Bytes(), &body)
+
+	mismatches := validateShape(body, spec, "/api/nodes/{pubkey}")
+	if len(mismatches) > 0 {
+		t.Errorf("Go node detail has %d shape mismatches vs Node.js golden:\n  %s",
+			len(mismatches), strings.Join(mismatches, "\n  "))
+	}
+}
+
+// TestParityArraysNotNull verifies that array-typed fields in Go responses are
+// [] (empty array) rather than null. This is a common Go/JSON pitfall where
+// nil slices marshal as null instead of [].
+// Uses shapes.json to know which fields SHOULD be arrays.
+func TestParityArraysNotNull(t *testing.T) {
+	shapes := loadShapes(t)
+	_, router := setupTestServer(t)
+
+	endpoints := []struct {
+		name string
+		path string
+	}{
+		{"stats", "/api/stats"},
+		{"nodes", "/api/nodes?limit=5"},
+		{"packets", "/api/packets?limit=5"},
+		{"packets_grouped", "/api/packets?limit=5&groupByHash=true"},
+		{"observers", "/api/observers"},
+		{"channels", "/api/channels"},
+		{"bulk_health", "/api/nodes/bulk-health"},
+		{"analytics_rf", "/api/analytics/rf?days=7"},
+		{"analytics_topology", "/api/analytics/topology?days=7"},
+		{"analytics_hash_sizes", "/api/analytics/hash-sizes?days=7"},
+		{"analytics_distance", "/api/analytics/distance?days=7"},
+		{"analytics_subpaths", "/api/analytics/subpaths?days=7"},
+	}
+
+	for _, ep := range endpoints {
+		t.Run("NullArrayCheck_"+ep.name, func(t *testing.T) {
+			spec, ok := shapes[ep.name]
+			if !ok {
+				t.Skipf("no shape spec for %s", ep.name)
+			}
+
+			req := httptest.NewRequest("GET", ep.path, nil)
+			w := httptest.NewRecorder()
+			router.ServeHTTP(w, req)
+
+			if w.Code != 200 {
+				t.Skipf("GET %s returned %d, skipping null-array check", ep.path, w.Code)
+			}
+
+			var body interface{}
+			json.Unmarshal(w.Body.Bytes(), &body)
+
+			nullArrays := findNullArrays(body, spec, ep.path)
+			if len(nullArrays) > 0 {
+				t.Errorf("Go %s has null where [] expected:\n  %s\n"+
+					"Go nil slices marshal as null — initialize with make() or literal",
+					ep.path, strings.Join(nullArrays, "\n  "))
+			}
+		})
+	}
+}
+
+// findNullArrays walks JSON data alongside a shape spec and returns paths
+// where the spec says the field should be an array but Go returned null.
+func findNullArrays(actual interface{}, spec shapeSpec, path string) []string {
+	var nulls []string
+
+	switch spec.Type {
+	case "array":
+		if actual == nil {
+			nulls = append(nulls, fmt.Sprintf("%s: null (should be [])", path))
+		} else if arr, ok := actual.([]interface{}); ok && spec.ElementShape != nil {
+			for i, elem := range arr {
+				nulls = append(nulls, findNullArrays(elem, *spec.ElementShape, fmt.Sprintf("%s[%d]", path, i))...)
+			}
+		}
+	case "object":
+		obj, ok := actual.(map[string]interface{})
+		if !ok || obj == nil {
+			return nulls
+		}
+		if spec.Keys != nil {
+			for key, keySpec := range spec.Keys {
+				if val, exists := obj[key]; exists {
+					nulls = append(nulls, findNullArrays(val, keySpec, path+"."+key)...)
+				} else if keySpec.Type == "array" {
+					// Key missing entirely — also a null-array problem
+					nulls = append(nulls, fmt.Sprintf("%s.%s: missing (should be [])", path, key))
+				}
+			}
+		}
+		if spec.DynamicKeys && spec.ValueShape != nil {
+			for k, v := range obj {
+				nulls = append(nulls, findNullArrays(v, *spec.ValueShape, path+"."+k)...)
+				break // sample one
+			}
+		}
+	}
+
+	return nulls
+}
+
+// TestParityHealthEngine verifies Go health endpoint declares engine=go
+// while Node declares engine=node (or omits it). The Go server must always
+// identify itself.
+func TestParityHealthEngine(t *testing.T) {
+	_, router := setupTestServer(t)
+
+	req := httptest.NewRequest("GET", "/api/health", nil)
+	w := httptest.NewRecorder()
+	router.ServeHTTP(w, req)
+
+	var body map[string]interface{}
+	json.Unmarshal(w.Body.Bytes(), &body)
+
+	engine, ok := body["engine"]
+	if !ok {
+		t.Error("health response missing 'engine' field (Go server must include engine=go)")
+	} else if engine != "go" {
+		t.Errorf("health engine=%v, expected 'go'", engine)
+	}
+}
+
+// TestValidateShapeFunction directly tests the shape validator itself.
+func TestValidateShapeFunction(t *testing.T) {
+	t.Run("string match", func(t *testing.T) {
+		errs := validateShape("hello", shapeSpec{Type: "string"}, "$.x")
+		if len(errs) != 0 {
+			t.Errorf("unexpected errors: %v", errs)
+		}
+	})
+
+	t.Run("string mismatch", func(t *testing.T) {
+		errs := validateShape(42.0, shapeSpec{Type: "string"}, "$.x")
+		if len(errs) != 1 {
+			t.Errorf("expected 1 error, got %d: %v", len(errs), errs)
+		}
+	})
+
+	t.Run("null array rejected", func(t *testing.T) {
+		errs := validateShape(nil, shapeSpec{Type: "array"}, "$.arr")
+		if len(errs) != 1 || !strings.Contains(errs[0], "null") {
+			t.Errorf("expected null-array error, got: %v", errs)
+		}
+	})
+
+	t.Run("empty array OK", func(t *testing.T) {
+		errs := validateShape([]interface{}{}, shapeSpec{Type: "array"}, "$.arr")
+		if len(errs) != 0 {
+			t.Errorf("unexpected errors for empty array: %v", errs)
+		}
+	})
+
+	t.Run("missing object key", func(t *testing.T) {
+		spec := shapeSpec{Type: "object", Keys: map[string]shapeSpec{
+			"name": {Type: "string"},
+			"age":  {Type: "number"},
+		}}
+		obj := map[string]interface{}{"name": "test"}
+		errs := validateShape(obj, spec, "$.user")
+		if len(errs) != 1 || !strings.Contains(errs[0], "age") {
+			t.Errorf("expected missing age error, got: %v", errs)
+		}
+	})
+
+	t.Run("nullable allows null", func(t *testing.T) {
+		errs := validateShape(nil, shapeSpec{Type: "nullable"}, "$.x")
+		if len(errs) != 0 {
+			t.Errorf("nullable should accept null: %v", errs)
+		}
+	})
+
+	t.Run("dynamic keys validates value shape", func(t *testing.T) {
+		spec := shapeSpec{
+			Type:        "object",
+			DynamicKeys: true,
+			ValueShape:  &shapeSpec{Type: "number"},
+		}
+		obj := map[string]interface{}{"a": 1.0, "b": 2.0}
+		errs := validateShape(obj, spec, "$.dyn")
+		if len(errs) != 0 {
+			t.Errorf("unexpected errors: %v", errs)
+		}
+	})
+}
+
+func TestParityWSMultiObserverGolden(t *testing.T) {
+	db := setupTestDB(t)
+	defer db.Close()
+	seedTestData(t, db)
+	hub := NewHub()
+	store := NewPacketStore(db)
+	if err := store.Load(); err != nil {
+		t.Fatalf("store load failed: %v", err)
+	}
+
+	poller := NewPoller(db, hub, 50*time.Millisecond)
+	poller.store = store
+
+	client := &Client{send: make(chan []byte, 256)}
+	hub.Register(client)
+	defer hub.Unregister(client)
+
+	go poller.Start()
+	defer poller.Stop()
+
+	// Wait for poller to initialize its lastID/lastObsID cursors before
+	// inserting new data; otherwise the poller may snapshot a lastID that
+	// already includes the test data and never broadcast it.
+	time.Sleep(100 * time.Millisecond)
+
+	now := time.Now().UTC().Format(time.RFC3339)
+	if _, err := db.conn.Exec(`INSERT INTO transmissions (raw_hex, hash, first_seen, route_type, payload_type, decoded_json)
+		VALUES ('BEEF', 'goldenstarburst237', ?, 1, 4, '{"pubKey":"aabbccdd11223344","type":"ADVERT"}')`, now); err != nil {
+		t.Fatalf("insert tx failed: %v", err)
+	}
+	var txID int
+	if err := db.conn.QueryRow(`SELECT id FROM transmissions WHERE hash='goldenstarburst237'`).Scan(&txID); err != nil {
+		t.Fatalf("query tx id failed: %v", err)
+	}
+	ts := time.Now().Unix()
+	if _, err := db.conn.Exec(`INSERT INTO observations (transmission_id, observer_idx, snr, rssi, path_json, timestamp)
+		VALUES (?, 1, 11.0, -88, '["p1"]', ?),
+		       (?, 2, 9.0, -92, '["p1","p2"]', ?),
+		       (?, 1, 7.0, -96, '["p1","p2","p3"]', ?)`,
+		txID, ts, txID, ts+1, txID, ts+2); err != nil {
+		t.Fatalf("insert obs failed: %v", err)
+	}
+
+	type golden struct {
+		Hash        string
+		Count       int
+		Paths       []string
+		ObserverIDs []string
+	}
+	expected := golden{
+		Hash:        "goldenstarburst237",
+		Count:       3,
+		Paths:       []string{`["p1"]`, `["p1","p2"]`, `["p1","p2","p3"]`},
+		ObserverIDs: []string{"obs1", "obs2"},
+	}
+
+	gotPaths := make([]string, 0, expected.Count)
+	gotObservers := make(map[string]bool)
+	deadline := time.After(2 * time.Second)
+	for len(gotPaths) < expected.Count {
+		select {
+		case raw := <-client.send:
+			var msg map[string]interface{}
+			if err := json.Unmarshal(raw, &msg); err != nil {
+				t.Fatalf("unmarshal ws message failed: %v", err)
+			}
+			if msg["type"] != "packet" {
+				continue
+			}
+			data, _ := msg["data"].(map[string]interface{})
+			if data == nil || data["hash"] != expected.Hash {
+				continue
+			}
+			if path, ok := data["path_json"].(string); ok {
+				gotPaths = append(gotPaths, path)
+			}
+			if oid, ok := data["observer_id"].(string); ok && oid != "" {
+				gotObservers[oid] = true
+			}
+		case <-deadline:
+			t.Fatalf("timed out waiting for %d ws messages, got %d", expected.Count, len(gotPaths))
+		}
+	}
+
+	sort.Strings(gotPaths)
+	sort.Strings(expected.Paths)
+	if len(gotPaths) != len(expected.Paths) {
+		t.Fatalf("path count mismatch: got %d want %d", len(gotPaths), len(expected.Paths))
+	}
+	for i := range expected.Paths {
+		if gotPaths[i] != expected.Paths[i] {
+			t.Fatalf("path mismatch at %d: got %q want %q", i, gotPaths[i], expected.Paths[i])
+		}
+	}
+	for _, oid := range expected.ObserverIDs {
+		if !gotObservers[oid] {
+			t.Fatalf("missing expected observer %q in ws messages", oid)
+		}
+	}
+}

cmd/server/routes.go

@@ -33,6 +33,11 @@ type Server struct {
 	memStatsMu   sync.Mutex
 	memStatsCache runtime.MemStats
 	memStatsCachedAt time.Time
+
+	// Cached /api/stats response — recomputed at most once every 10s
+	statsMu      sync.Mutex
+	statsCache   *StatsResponse
+	statsCachedAt time.Time
 }
 
 // PerfStats tracks request performance.
@@ -380,6 +385,17 @@ func (s *Server) handleHealth(w http.ResponseWriter, r *http.Request) {
 }
 
 func (s *Server) handleStats(w http.ResponseWriter, r *http.Request) {
+	const statsTTL = 10 * time.Second
+
+	s.statsMu.Lock()
+	if s.statsCache != nil && time.Since(s.statsCachedAt) < statsTTL {
+		cached := s.statsCache
+		s.statsMu.Unlock()
+		writeJSON(w, cached)
+		return
+	}
+	s.statsMu.Unlock()
+
 	var stats *Stats
 	var err error
 	if s.store != nil {
@@ -392,7 +408,7 @@ func (s *Server) handleStats(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	counts := s.db.GetRoleCounts()
-	writeJSON(w, StatsResponse{
+	resp := &StatsResponse{
 		TotalPackets:       stats.TotalPackets,
 		TotalTransmissions: &stats.TotalTransmissions,
 		TotalObservations:  stats.TotalObservations,
@@ -411,7 +427,14 @@ func (s *Server) handleStats(w http.ResponseWriter, r *http.Request) {
 			Companions: counts["companions"],
 			Sensors:    counts["sensors"],
 		},
-	})
+	}
+
+	s.statsMu.Lock()
+	s.statsCache = resp
+	s.statsCachedAt = time.Now()
+	s.statsMu.Unlock()
+
+	writeJSON(w, resp)
 }
 
 func (s *Server) handlePerf(w http.ResponseWriter, r *http.Request) {

cmd/server/store.go

@@ -98,6 +98,11 @@ type PacketStore struct {
 	// computed during Load() and incrementally updated on ingest.
 	distHops  []distHopRecord
 	distPaths []distPathRecord
+
+	// Cached GetNodeHashSizeInfo result — recomputed at most once every 15s
+	hashSizeInfoMu    sync.Mutex
+	hashSizeInfoCache map[string]*hashSizeNodeInfo
+	hashSizeInfoAt    time.Time
 }
 
 // Precomputed distance records for fast analytics aggregation.
@@ -1034,7 +1039,7 @@ func (s *PacketStore) IngestNewFromDB(sinceID, limit int) ([]map[string]interfac
 		}
 	}
 
-	// Build broadcast maps (same shape as Node.js WS broadcast)
+	// Build broadcast maps (same shape as Node.js WS broadcast), one per observation.
 	result := make([]map[string]interface{}, 0, len(broadcastOrder))
 	for _, txID := range broadcastOrder {
 		tx := broadcastTxs[txID]
@@ -1050,32 +1055,34 @@ func (s *PacketStore) IngestNewFromDB(sinceID, limit int) ([]map[string]interfac
 				decoded["payload"] = payload
 			}
 		}
-		// Build the nested packet object (packets.js checks m.data.packet)
-		pkt := map[string]interface{}{
-			"id":                tx.ID,
-			"raw_hex":           strOrNil(tx.RawHex),
-			"hash":              strOrNil(tx.Hash),
-			"first_seen":        strOrNil(tx.FirstSeen),
-			"timestamp":         strOrNil(tx.FirstSeen),
-			"route_type":        intPtrOrNil(tx.RouteType),
-			"payload_type":      intPtrOrNil(tx.PayloadType),
-			"decoded_json":      strOrNil(tx.DecodedJSON),
-			"observer_id":       strOrNil(tx.ObserverID),
-			"observer_name":     strOrNil(tx.ObserverName),
-			"snr":               floatPtrOrNil(tx.SNR),
-			"rssi":              floatPtrOrNil(tx.RSSI),
-			"path_json":         strOrNil(tx.PathJSON),
-			"direction":         strOrNil(tx.Direction),
-			"observation_count": tx.ObservationCount,
+		for _, obs := range tx.Observations {
+			// Build the nested packet object (packets.js checks m.data.packet)
+			pkt := map[string]interface{}{
+				"id":                tx.ID,
+				"raw_hex":           strOrNil(tx.RawHex),
+				"hash":              strOrNil(tx.Hash),
+				"first_seen":        strOrNil(tx.FirstSeen),
+				"timestamp":         strOrNil(tx.FirstSeen),
+				"route_type":        intPtrOrNil(tx.RouteType),
+				"payload_type":      intPtrOrNil(tx.PayloadType),
+				"decoded_json":      strOrNil(tx.DecodedJSON),
+				"observer_id":       strOrNil(obs.ObserverID),
+				"observer_name":     strOrNil(obs.ObserverName),
+				"snr":               floatPtrOrNil(obs.SNR),
+				"rssi":              floatPtrOrNil(obs.RSSI),
+				"path_json":         strOrNil(obs.PathJSON),
+				"direction":         strOrNil(obs.Direction),
+				"observation_count": tx.ObservationCount,
+			}
+			// Broadcast map: top-level fields for live.js + nested packet for packets.js
+			broadcastMap := make(map[string]interface{}, len(pkt)+2)
+			for k, v := range pkt {
+				broadcastMap[k] = v
+			}
+			broadcastMap["decoded"] = decoded
+			broadcastMap["packet"] = pkt
+			result = append(result, broadcastMap)
 		}
-		// Broadcast map: top-level fields for live.js + nested packet for packets.js
-		broadcastMap := make(map[string]interface{}, len(pkt)+2)
-		for k, v := range pkt {
-			broadcastMap[k] = v
-		}
-		broadcastMap["decoded"] = decoded
-		broadcastMap["packet"] = pkt
-		result = append(result, broadcastMap)
 	}
 
 	// Invalidate analytics caches since new data was ingested
@@ -1096,7 +1103,7 @@ func (s *PacketStore) IngestNewFromDB(sinceID, limit int) ([]map[string]interfac
 // IngestNewObservations loads new observations for transmissions already in the
 // store. This catches observations that arrive after IngestNewFromDB has already
 // advanced past the transmission's ID (fixes #174).
-func (s *PacketStore) IngestNewObservations(sinceObsID, limit int) int {
+func (s *PacketStore) IngestNewObservations(sinceObsID, limit int) []map[string]interface{} {
 	if limit <= 0 {
 		limit = 500
 	}
@@ -1122,7 +1129,7 @@ func (s *PacketStore) IngestNewObservations(sinceObsID, limit int) int {
 	rows, err := s.db.conn.Query(querySQL, sinceObsID, limit)
 	if err != nil {
 		log.Printf("[store] ingest observations query error: %v", err)
-		return sinceObsID
+		return nil
 	}
 	defer rows.Close()
 
@@ -1165,20 +1172,16 @@ func (s *PacketStore) IngestNewObservations(sinceObsID, limit int) int {
 	}
 
 	if len(obsRows) == 0 {
-		return sinceObsID
+		return nil
 	}
 
 	s.mu.Lock()
 	defer s.mu.Unlock()
 
-	newMaxObsID := sinceObsID
 	updatedTxs := make(map[int]*StoreTx)
+	broadcastMaps := make([]map[string]interface{}, 0, len(obsRows))
 
 	for _, r := range obsRows {
-		if r.obsID > newMaxObsID {
-			newMaxObsID = r.obsID
-		}
-
 		// Already ingested (e.g. by IngestNewFromDB in same cycle)
 		if _, exists := s.byObsID[r.obsID]; exists {
 			continue
@@ -1221,6 +1224,43 @@ func (s *PacketStore) IngestNewObservations(sinceObsID, limit int) int {
 		}
 		s.totalObs++
 		updatedTxs[r.txID] = tx
+
+		decoded := map[string]interface{}{
+			"header": map[string]interface{}{
+				"payloadTypeName": resolvePayloadTypeName(tx.PayloadType),
+			},
+		}
+		if tx.DecodedJSON != "" {
+			var payload map[string]interface{}
+			if json.Unmarshal([]byte(tx.DecodedJSON), &payload) == nil {
+				decoded["payload"] = payload
+			}
+		}
+
+		pkt := map[string]interface{}{
+			"id":                tx.ID,
+			"raw_hex":           strOrNil(tx.RawHex),
+			"hash":              strOrNil(tx.Hash),
+			"first_seen":        strOrNil(tx.FirstSeen),
+			"timestamp":         strOrNil(tx.FirstSeen),
+			"route_type":        intPtrOrNil(tx.RouteType),
+			"payload_type":      intPtrOrNil(tx.PayloadType),
+			"decoded_json":      strOrNil(tx.DecodedJSON),
+			"observer_id":       strOrNil(obs.ObserverID),
+			"observer_name":     strOrNil(obs.ObserverName),
+			"snr":               floatPtrOrNil(obs.SNR),
+			"rssi":              floatPtrOrNil(obs.RSSI),
+			"path_json":         strOrNil(obs.PathJSON),
+			"direction":         strOrNil(obs.Direction),
+			"observation_count": tx.ObservationCount,
+		}
+		broadcastMap := make(map[string]interface{}, len(pkt)+2)
+		for k, v := range pkt {
+			broadcastMap[k] = v
+		}
+		broadcastMap["decoded"] = decoded
+		broadcastMap["packet"] = pkt
+		broadcastMaps = append(broadcastMaps, broadcastMap)
 	}
 
 	// Re-pick best observation for updated transmissions and update subpath index
@@ -1275,7 +1315,7 @@ func (s *PacketStore) IngestNewObservations(sinceObsID, limit int) int {
 		// analytics caches cleared; no per-cycle log to avoid stdout overhead
 	}
 
-	return newMaxObsID
+	return broadcastMaps
 }
 
 // MaxTransmissionID returns the highest transmission ID in the store.
@@ -3722,8 +3762,26 @@ type hashSizeNodeInfo struct {
 	Inconsistent bool
 }
 
-// GetNodeHashSizeInfo scans advert packets to compute per-node hash size data.
+// GetNodeHashSizeInfo returns cached per-node hash size data, recomputing at most every 15s.
 func (s *PacketStore) GetNodeHashSizeInfo() map[string]*hashSizeNodeInfo {
+	const ttl = 15 * time.Second
+	s.hashSizeInfoMu.Lock()
+	if s.hashSizeInfoCache != nil && time.Since(s.hashSizeInfoAt) < ttl {
+		cached := s.hashSizeInfoCache
+		s.hashSizeInfoMu.Unlock()
+		return cached
+	}
+	s.hashSizeInfoMu.Unlock()
+	result := s.computeNodeHashSizeInfo()
+	s.hashSizeInfoMu.Lock()
+	s.hashSizeInfoCache = result
+	s.hashSizeInfoAt = time.Now()
+	s.hashSizeInfoMu.Unlock()
+	return result
+}
+
+// computeNodeHashSizeInfo scans advert packets to compute per-node hash size data.
+func (s *PacketStore) computeNodeHashSizeInfo() map[string]*hashSizeNodeInfo {
 	s.mu.RLock()
 	defer s.mu.RUnlock()
 

cmd/server/websocket.go

@@ -1,229 +1,245 @@
-package main
-
-import (
-	"encoding/json"
-	"log"
-	"net/http"
-	"strings"
-	"sync"
-	"time"
-
-	"github.com/gorilla/websocket"
-)
-
-var upgrader = websocket.Upgrader{
-	ReadBufferSize:  1024,
-	WriteBufferSize: 4096,
-	CheckOrigin:     func(r *http.Request) bool { return true },
-}
-
-// Hub manages WebSocket clients and broadcasts.
-type Hub struct {
-	mu      sync.RWMutex
-	clients map[*Client]bool
-}
-
-// Client is a single WebSocket connection.
-type Client struct {
-	conn *websocket.Conn
-	send chan []byte
-}
-
-func NewHub() *Hub {
-	return &Hub{
-		clients: make(map[*Client]bool),
-	}
-}
-
-func (h *Hub) ClientCount() int {
-	h.mu.RLock()
-	defer h.mu.RUnlock()
-	return len(h.clients)
-}
-
-func (h *Hub) Register(c *Client) {
-	h.mu.Lock()
-	h.clients[c] = true
-	h.mu.Unlock()
-	log.Printf("[ws] client connected (%d total)", h.ClientCount())
-}
-
-func (h *Hub) Unregister(c *Client) {
-	h.mu.Lock()
-	if _, ok := h.clients[c]; ok {
-		delete(h.clients, c)
-		close(c.send)
-	}
-	h.mu.Unlock()
-	log.Printf("[ws] client disconnected (%d total)", h.ClientCount())
-}
-
-// Broadcast sends a message to all connected clients.
-func (h *Hub) Broadcast(msg interface{}) {
-	data, err := json.Marshal(msg)
-	if err != nil {
-		log.Printf("[ws] marshal error: %v", err)
-		return
-	}
-	h.mu.RLock()
-	defer h.mu.RUnlock()
-	for c := range h.clients {
-		select {
-		case c.send <- data:
-		default:
-			// Client buffer full — drop
-		}
-	}
-}
-
-// ServeWS handles the WebSocket upgrade and runs the client.
-func (h *Hub) ServeWS(w http.ResponseWriter, r *http.Request) {
-	conn, err := upgrader.Upgrade(w, r, nil)
-	if err != nil {
-		log.Printf("[ws] upgrade error: %v", err)
-		return
-	}
-
-	client := &Client{
-		conn: conn,
-		send: make(chan []byte, 256),
-	}
-	h.Register(client)
-
-	go client.writePump()
-	go client.readPump(h)
-}
-
-// wsOrStatic upgrades WebSocket requests at any path, serves static files otherwise.
-func wsOrStatic(hub *Hub, static http.Handler) http.Handler {
-	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		if strings.EqualFold(r.Header.Get("Upgrade"), "websocket") {
-			hub.ServeWS(w, r)
-			return
-		}
-		static.ServeHTTP(w, r)
-	})
-}
-
-func (c *Client) readPump(hub *Hub) {
-	defer func() {
-		hub.Unregister(c)
-		c.conn.Close()
-	}()
-	c.conn.SetReadLimit(512)
-	c.conn.SetReadDeadline(time.Now().Add(60 * time.Second))
-	c.conn.SetPongHandler(func(string) error {
-		c.conn.SetReadDeadline(time.Now().Add(60 * time.Second))
-		return nil
-	})
-	for {
-		_, _, err := c.conn.ReadMessage()
-		if err != nil {
-			break
-		}
-	}
-}
-
-func (c *Client) writePump() {
-	ticker := time.NewTicker(30 * time.Second)
-	defer func() {
-		ticker.Stop()
-		c.conn.Close()
-	}()
-	for {
-		select {
-		case message, ok := <-c.send:
-			c.conn.SetWriteDeadline(time.Now().Add(10 * time.Second))
-			if !ok {
-				c.conn.WriteMessage(websocket.CloseMessage, []byte{})
-				return
-			}
-			if err := c.conn.WriteMessage(websocket.TextMessage, message); err != nil {
-				return
-			}
-		case <-ticker.C:
-			c.conn.SetWriteDeadline(time.Now().Add(10 * time.Second))
-			if err := c.conn.WriteMessage(websocket.PingMessage, nil); err != nil {
-				return
-			}
-		}
-	}
-}
-
-// Poller watches for new transmissions in SQLite and broadcasts them.
-type Poller struct {
-	db       *DB
-	hub      *Hub
-	store    *PacketStore // optional: if set, new transmissions are ingested into memory
-	interval time.Duration
-	stop     chan struct{}
-}
-
-func NewPoller(db *DB, hub *Hub, interval time.Duration) *Poller {
-	return &Poller{db: db, hub: hub, interval: interval, stop: make(chan struct{})}
-}
-
-func (p *Poller) Start() {
-	lastID := p.db.GetMaxTransmissionID()
-	lastObsID := p.db.GetMaxObservationID()
-	log.Printf("[poller] starting from transmission ID %d, obs ID %d, interval %v", lastID, lastObsID, p.interval)
-
-	ticker := time.NewTicker(p.interval)
-	defer ticker.Stop()
-
-	for {
-		select {
-		case <-ticker.C:
-			if p.store != nil {
-				// Ingest new transmissions into in-memory store and broadcast
-				newTxs, newMax := p.store.IngestNewFromDB(lastID, 100)
-				if newMax > lastID {
-					lastID = newMax
-				}
-				// Ingest new observations for existing transmissions (fixes #174)
-				newObsMax := p.store.IngestNewObservations(lastObsID, 500)
-				if newObsMax > lastObsID {
-					lastObsID = newObsMax
-				}
-				if len(newTxs) > 0 {
-					log.Printf("[broadcast] sending %d packets to %d clients (lastID now %d)", len(newTxs), p.hub.ClientCount(), lastID)
-				}
-				for _, tx := range newTxs {
-					p.hub.Broadcast(WSMessage{
-						Type: "packet",
-						Data: tx,
-					})
-				}
-			} else {
-				// Fallback: direct DB query (used when store is nil, e.g. tests)
-				newTxs, err := p.db.GetNewTransmissionsSince(lastID, 100)
-				if err != nil {
-					log.Printf("[poller] error: %v", err)
-					continue
-				}
-				for _, tx := range newTxs {
-					id, _ := tx["id"].(int)
-					if id > lastID {
-						lastID = id
-					}
-					// Copy packet fields for the nested packet (avoids circular ref)
-					pkt := make(map[string]interface{}, len(tx))
-					for k, v := range tx {
-						pkt[k] = v
-					}
-					tx["packet"] = pkt
-					p.hub.Broadcast(WSMessage{
-						Type: "packet",
-						Data: tx,
-					})
-				}
-			}
-		case <-p.stop:
-			return
-		}
-	}
-}
-
-func (p *Poller) Stop() {
-	close(p.stop)
-}
+package main
+
+import (
+	"encoding/json"
+	"log"
+	"net/http"
+	"strings"
+	"sync"
+	"time"
+
+	"github.com/gorilla/websocket"
+)
+
+var upgrader = websocket.Upgrader{
+	ReadBufferSize:  1024,
+	WriteBufferSize: 4096,
+	CheckOrigin:     func(r *http.Request) bool { return true },
+}
+
+// Hub manages WebSocket clients and broadcasts.
+type Hub struct {
+	mu      sync.RWMutex
+	clients map[*Client]bool
+}
+
+// Client is a single WebSocket connection.
+type Client struct {
+	conn *websocket.Conn
+	send chan []byte
+}
+
+func NewHub() *Hub {
+	return &Hub{
+		clients: make(map[*Client]bool),
+	}
+}
+
+func (h *Hub) ClientCount() int {
+	h.mu.RLock()
+	defer h.mu.RUnlock()
+	return len(h.clients)
+}
+
+func (h *Hub) Register(c *Client) {
+	h.mu.Lock()
+	h.clients[c] = true
+	h.mu.Unlock()
+	log.Printf("[ws] client connected (%d total)", h.ClientCount())
+}
+
+func (h *Hub) Unregister(c *Client) {
+	h.mu.Lock()
+	if _, ok := h.clients[c]; ok {
+		delete(h.clients, c)
+		close(c.send)
+	}
+	h.mu.Unlock()
+	log.Printf("[ws] client disconnected (%d total)", h.ClientCount())
+}
+
+// Broadcast sends a message to all connected clients.
+func (h *Hub) Broadcast(msg interface{}) {
+	data, err := json.Marshal(msg)
+	if err != nil {
+		log.Printf("[ws] marshal error: %v", err)
+		return
+	}
+	h.mu.RLock()
+	defer h.mu.RUnlock()
+	for c := range h.clients {
+		select {
+		case c.send <- data:
+		default:
+			// Client buffer full — drop
+		}
+	}
+}
+
+// ServeWS handles the WebSocket upgrade and runs the client.
+func (h *Hub) ServeWS(w http.ResponseWriter, r *http.Request) {
+	conn, err := upgrader.Upgrade(w, r, nil)
+	if err != nil {
+		log.Printf("[ws] upgrade error: %v", err)
+		return
+	}
+
+	client := &Client{
+		conn: conn,
+		send: make(chan []byte, 256),
+	}
+	h.Register(client)
+
+	go client.writePump()
+	go client.readPump(h)
+}
+
+// wsOrStatic upgrades WebSocket requests at any path, serves static files otherwise.
+func wsOrStatic(hub *Hub, static http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if strings.EqualFold(r.Header.Get("Upgrade"), "websocket") {
+			hub.ServeWS(w, r)
+			return
+		}
+		static.ServeHTTP(w, r)
+	})
+}
+
+func (c *Client) readPump(hub *Hub) {
+	defer func() {
+		hub.Unregister(c)
+		c.conn.Close()
+	}()
+	c.conn.SetReadLimit(512)
+	c.conn.SetReadDeadline(time.Now().Add(60 * time.Second))
+	c.conn.SetPongHandler(func(string) error {
+		c.conn.SetReadDeadline(time.Now().Add(60 * time.Second))
+		return nil
+	})
+	for {
+		_, _, err := c.conn.ReadMessage()
+		if err != nil {
+			break
+		}
+	}
+}
+
+func (c *Client) writePump() {
+	ticker := time.NewTicker(30 * time.Second)
+	defer func() {
+		ticker.Stop()
+		c.conn.Close()
+	}()
+	for {
+		select {
+		case message, ok := <-c.send:
+			c.conn.SetWriteDeadline(time.Now().Add(10 * time.Second))
+			if !ok {
+				c.conn.WriteMessage(websocket.CloseMessage, []byte{})
+				return
+			}
+			if err := c.conn.WriteMessage(websocket.TextMessage, message); err != nil {
+				return
+			}
+		case <-ticker.C:
+			c.conn.SetWriteDeadline(time.Now().Add(10 * time.Second))
+			if err := c.conn.WriteMessage(websocket.PingMessage, nil); err != nil {
+				return
+			}
+		}
+	}
+}
+
+// Poller watches for new transmissions in SQLite and broadcasts them.
+type Poller struct {
+	db       *DB
+	hub      *Hub
+	store    *PacketStore // optional: if set, new transmissions are ingested into memory
+	interval time.Duration
+	stop     chan struct{}
+}
+
+func NewPoller(db *DB, hub *Hub, interval time.Duration) *Poller {
+	return &Poller{db: db, hub: hub, interval: interval, stop: make(chan struct{})}
+}
+
+func (p *Poller) Start() {
+	lastID := p.db.GetMaxTransmissionID()
+	lastObsID := p.db.GetMaxObservationID()
+	log.Printf("[poller] starting from transmission ID %d, obs ID %d, interval %v", lastID, lastObsID, p.interval)
+
+	ticker := time.NewTicker(p.interval)
+	defer ticker.Stop()
+
+	for {
+		select {
+		case <-ticker.C:
+			if p.store != nil {
+				// Ingest new transmissions into in-memory store and broadcast
+				newTxs, newMax := p.store.IngestNewFromDB(lastID, 100)
+				if newMax > lastID {
+					lastID = newMax
+				}
+				// Ingest new observations for existing transmissions (fixes #174)
+				nextObsID := lastObsID
+				if err := p.db.conn.QueryRow(`
+					SELECT COALESCE(MAX(id), ?) FROM (
+						SELECT id FROM observations
+						WHERE id > ?
+						ORDER BY id ASC
+						LIMIT 500
+					)`, lastObsID, lastObsID).Scan(&nextObsID); err != nil {
+					nextObsID = lastObsID
+				}
+				newObs := p.store.IngestNewObservations(lastObsID, 500)
+				if nextObsID > lastObsID {
+					lastObsID = nextObsID
+				}
+				if len(newTxs) > 0 {
+					log.Printf("[broadcast] sending %d packets to %d clients (lastID now %d)", len(newTxs), p.hub.ClientCount(), lastID)
+				}
+				for _, tx := range newTxs {
+					p.hub.Broadcast(WSMessage{
+						Type: "packet",
+						Data: tx,
+					})
+				}
+				for _, obs := range newObs {
+					p.hub.Broadcast(WSMessage{
+						Type: "packet",
+						Data: obs,
+					})
+				}
+			} else {
+				// Fallback: direct DB query (used when store is nil, e.g. tests)
+				newTxs, err := p.db.GetNewTransmissionsSince(lastID, 100)
+				if err != nil {
+					log.Printf("[poller] error: %v", err)
+					continue
+				}
+				for _, tx := range newTxs {
+					id, _ := tx["id"].(int)
+					if id > lastID {
+						lastID = id
+					}
+					// Copy packet fields for the nested packet (avoids circular ref)
+					pkt := make(map[string]interface{}, len(tx))
+					for k, v := range tx {
+						pkt[k] = v
+					}
+					tx["packet"] = pkt
+					p.hub.Broadcast(WSMessage{
+						Type: "packet",
+						Data: tx,
+					})
+				}
+			}
+		case <-p.stop:
+			return
+		}
+	}
+}
+
+func (p *Poller) Stop() {
+	close(p.stop)
+}

cmd/server/websocket_test.go

@@ -1,275 +1,415 @@
-package main
-
-import (
-	"encoding/json"
-	"net/http"
-	"net/http/httptest"
-	"testing"
-	"time"
-
-	"github.com/gorilla/websocket"
-)
-
-func TestHubBroadcast(t *testing.T) {
-	hub := NewHub()
-
-	if hub.ClientCount() != 0 {
-		t.Errorf("expected 0 clients, got %d", hub.ClientCount())
-	}
-
-	// Create a test server with WebSocket endpoint
-	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		hub.ServeWS(w, r)
-	}))
-	defer srv.Close()
-
-	// Connect a WebSocket client
-	wsURL := "ws" + srv.URL[4:] // replace http with ws
-	conn, _, err := websocket.DefaultDialer.Dial(wsURL, nil)
-	if err != nil {
-		t.Fatalf("dial error: %v", err)
-	}
-	defer conn.Close()
-
-	// Wait for registration
-	time.Sleep(50 * time.Millisecond)
-
-	if hub.ClientCount() != 1 {
-		t.Errorf("expected 1 client, got %d", hub.ClientCount())
-	}
-
-	// Broadcast a message
-	hub.Broadcast(map[string]interface{}{
-		"type": "packet",
-		"data": map[string]interface{}{"id": 1, "hash": "test123"},
-	})
-
-	// Read the message
-	conn.SetReadDeadline(time.Now().Add(2 * time.Second))
-	_, msg, err := conn.ReadMessage()
-	if err != nil {
-		t.Fatalf("read error: %v", err)
-	}
-	if len(msg) == 0 {
-		t.Error("expected non-empty message")
-	}
-
-	// Disconnect
-	conn.Close()
-	time.Sleep(100 * time.Millisecond)
-}
-
-func TestPollerCreation(t *testing.T) {
-	db := setupTestDB(t)
-	defer db.Close()
-	seedTestData(t, db)
-	hub := NewHub()
-
-	poller := NewPoller(db, hub, 100*time.Millisecond)
-	if poller == nil {
-		t.Fatal("expected poller")
-	}
-
-	// Start and stop
-	go poller.Start()
-	time.Sleep(200 * time.Millisecond)
-	poller.Stop()
-}
-
-func TestHubMultipleClients(t *testing.T) {
-	hub := NewHub()
-
-	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		hub.ServeWS(w, r)
-	}))
-	defer srv.Close()
-
-	wsURL := "ws" + srv.URL[4:]
-
-	// Connect two clients
-	conn1, _, err := websocket.DefaultDialer.Dial(wsURL, nil)
-	if err != nil {
-		t.Fatalf("dial error: %v", err)
-	}
-	defer conn1.Close()
-
-	conn2, _, err := websocket.DefaultDialer.Dial(wsURL, nil)
-	if err != nil {
-		t.Fatalf("dial error: %v", err)
-	}
-	defer conn2.Close()
-
-	time.Sleep(100 * time.Millisecond)
-
-	if hub.ClientCount() != 2 {
-		t.Errorf("expected 2 clients, got %d", hub.ClientCount())
-	}
-
-	// Broadcast and both should receive
-	hub.Broadcast(map[string]interface{}{"type": "test", "data": "hello"})
-
-	conn1.SetReadDeadline(time.Now().Add(2 * time.Second))
-	_, msg1, err := conn1.ReadMessage()
-	if err != nil {
-		t.Fatalf("conn1 read error: %v", err)
-	}
-	if len(msg1) == 0 {
-		t.Error("expected non-empty message on conn1")
-	}
-
-	conn2.SetReadDeadline(time.Now().Add(2 * time.Second))
-	_, msg2, err := conn2.ReadMessage()
-	if err != nil {
-		t.Fatalf("conn2 read error: %v", err)
-	}
-	if len(msg2) == 0 {
-		t.Error("expected non-empty message on conn2")
-	}
-
-	// Disconnect one
-	conn1.Close()
-	time.Sleep(100 * time.Millisecond)
-
-	// Remaining client should still work
-	hub.Broadcast(map[string]interface{}{"type": "test2"})
-
-	conn2.SetReadDeadline(time.Now().Add(2 * time.Second))
-	_, msg3, err := conn2.ReadMessage()
-	if err != nil {
-		t.Fatalf("conn2 read error after disconnect: %v", err)
-	}
-	if len(msg3) == 0 {
-		t.Error("expected non-empty message")
-	}
-}
-
-func TestBroadcastFullBuffer(t *testing.T) {
-	hub := NewHub()
-
-	// Create a client with tiny buffer (1)
-	client := &Client{
-		send: make(chan []byte, 1),
-	}
-	hub.mu.Lock()
-	hub.clients[client] = true
-	hub.mu.Unlock()
-
-	// Fill the buffer
-	client.send <- []byte("first")
-
-	// This broadcast should drop the message (buffer full)
-	hub.Broadcast(map[string]interface{}{"type": "dropped"})
-
-	// Channel should still only have the first message
-	select {
-	case msg := <-client.send:
-		if string(msg) != "first" {
-			t.Errorf("expected 'first', got %s", string(msg))
-		}
-	default:
-		t.Error("expected message in channel")
-	}
-
-	// Clean up
-	hub.mu.Lock()
-	delete(hub.clients, client)
-	hub.mu.Unlock()
-}
-
-func TestBroadcastMarshalError(t *testing.T) {
-	hub := NewHub()
-
-	// Marshal error: functions can't be marshaled to JSON
-	hub.Broadcast(map[string]interface{}{"bad": func() {}})
-	// Should not panic — just log and return
-}
-
-func TestPollerBroadcastsNewData(t *testing.T) {
-	db := setupTestDB(t)
-	defer db.Close()
-	seedTestData(t, db)
-	hub := NewHub()
-
-	// Create a client to receive broadcasts
-	client := &Client{
-		send: make(chan []byte, 256),
-	}
-	hub.mu.Lock()
-	hub.clients[client] = true
-	hub.mu.Unlock()
-
-	poller := NewPoller(db, hub, 50*time.Millisecond)
-	go poller.Start()
-
-	// Insert new data to trigger broadcast
-	db.conn.Exec(`INSERT INTO transmissions (raw_hex, hash, first_seen, route_type, payload_type)
-		VALUES ('EEFF', 'newhash123456789', '2026-01-16T10:00:00Z', 1, 4)`)
-
-	time.Sleep(200 * time.Millisecond)
-	poller.Stop()
-
-	// Check if client received broadcast with packet field (fixes #162)
-	select {
-	case msg := <-client.send:
-		if len(msg) == 0 {
-			t.Error("expected non-empty broadcast message")
-		}
-		var parsed map[string]interface{}
-		if err := json.Unmarshal(msg, &parsed); err != nil {
-			t.Fatalf("failed to parse broadcast: %v", err)
-		}
-		if parsed["type"] != "packet" {
-			t.Errorf("expected type=packet, got %v", parsed["type"])
-		}
-		data, ok := parsed["data"].(map[string]interface{})
-		if !ok {
-			t.Fatal("expected data to be an object")
-		}
-		// packets.js filters on m.data.packet — must exist
-		pkt, ok := data["packet"]
-		if !ok || pkt == nil {
-			t.Error("expected data.packet to exist (required by packets.js WS handler)")
-		}
-		pktMap, ok := pkt.(map[string]interface{})
-		if !ok {
-			t.Fatal("expected data.packet to be an object")
-		}
-		// Verify key fields exist in nested packet (timestamp required by packets.js)
-		for _, field := range []string{"id", "hash", "payload_type", "timestamp"} {
-			if _, exists := pktMap[field]; !exists {
-				t.Errorf("expected data.packet.%s to exist", field)
-			}
-		}
-	default:
-		// Might not have received due to timing
-	}
-
-	// Clean up
-	hub.mu.Lock()
-	delete(hub.clients, client)
-	hub.mu.Unlock()
-}
-
-func TestHubRegisterUnregister(t *testing.T) {
-	hub := NewHub()
-
-	client := &Client{
-		send: make(chan []byte, 256),
-	}
-
-	hub.Register(client)
-	if hub.ClientCount() != 1 {
-		t.Errorf("expected 1 client after register, got %d", hub.ClientCount())
-	}
-
-	hub.Unregister(client)
-	if hub.ClientCount() != 0 {
-		t.Errorf("expected 0 clients after unregister, got %d", hub.ClientCount())
-	}
-
-	// Unregister again should be safe
-	hub.Unregister(client)
-	if hub.ClientCount() != 0 {
-		t.Errorf("expected 0 clients, got %d", hub.ClientCount())
-	}
-}
+package main
+
+import (
+	"encoding/json"
+	"net/http"
+	"net/http/httptest"
+	"sort"
+	"testing"
+	"time"
+
+	"github.com/gorilla/websocket"
+)
+
+func TestHubBroadcast(t *testing.T) {
+	hub := NewHub()
+
+	if hub.ClientCount() != 0 {
+		t.Errorf("expected 0 clients, got %d", hub.ClientCount())
+	}
+
+	// Create a test server with WebSocket endpoint
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		hub.ServeWS(w, r)
+	}))
+	defer srv.Close()
+
+	// Connect a WebSocket client
+	wsURL := "ws" + srv.URL[4:] // replace http with ws
+	conn, _, err := websocket.DefaultDialer.Dial(wsURL, nil)
+	if err != nil {
+		t.Fatalf("dial error: %v", err)
+	}
+	defer conn.Close()
+
+	// Wait for registration
+	time.Sleep(50 * time.Millisecond)
+
+	if hub.ClientCount() != 1 {
+		t.Errorf("expected 1 client, got %d", hub.ClientCount())
+	}
+
+	// Broadcast a message
+	hub.Broadcast(map[string]interface{}{
+		"type": "packet",
+		"data": map[string]interface{}{"id": 1, "hash": "test123"},
+	})
+
+	// Read the message
+	conn.SetReadDeadline(time.Now().Add(2 * time.Second))
+	_, msg, err := conn.ReadMessage()
+	if err != nil {
+		t.Fatalf("read error: %v", err)
+	}
+	if len(msg) == 0 {
+		t.Error("expected non-empty message")
+	}
+
+	// Disconnect
+	conn.Close()
+	time.Sleep(100 * time.Millisecond)
+}
+
+func TestPollerCreation(t *testing.T) {
+	db := setupTestDB(t)
+	defer db.Close()
+	seedTestData(t, db)
+	hub := NewHub()
+
+	poller := NewPoller(db, hub, 100*time.Millisecond)
+	if poller == nil {
+		t.Fatal("expected poller")
+	}
+
+	// Start and stop
+	go poller.Start()
+	time.Sleep(200 * time.Millisecond)
+	poller.Stop()
+}
+
+func TestHubMultipleClients(t *testing.T) {
+	hub := NewHub()
+
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		hub.ServeWS(w, r)
+	}))
+	defer srv.Close()
+
+	wsURL := "ws" + srv.URL[4:]
+
+	// Connect two clients
+	conn1, _, err := websocket.DefaultDialer.Dial(wsURL, nil)
+	if err != nil {
+		t.Fatalf("dial error: %v", err)
+	}
+	defer conn1.Close()
+
+	conn2, _, err := websocket.DefaultDialer.Dial(wsURL, nil)
+	if err != nil {
+		t.Fatalf("dial error: %v", err)
+	}
+	defer conn2.Close()
+
+	time.Sleep(100 * time.Millisecond)
+
+	if hub.ClientCount() != 2 {
+		t.Errorf("expected 2 clients, got %d", hub.ClientCount())
+	}
+
+	// Broadcast and both should receive
+	hub.Broadcast(map[string]interface{}{"type": "test", "data": "hello"})
+
+	conn1.SetReadDeadline(time.Now().Add(2 * time.Second))
+	_, msg1, err := conn1.ReadMessage()
+	if err != nil {
+		t.Fatalf("conn1 read error: %v", err)
+	}
+	if len(msg1) == 0 {
+		t.Error("expected non-empty message on conn1")
+	}
+
+	conn2.SetReadDeadline(time.Now().Add(2 * time.Second))
+	_, msg2, err := conn2.ReadMessage()
+	if err != nil {
+		t.Fatalf("conn2 read error: %v", err)
+	}
+	if len(msg2) == 0 {
+		t.Error("expected non-empty message on conn2")
+	}
+
+	// Disconnect one
+	conn1.Close()
+	time.Sleep(100 * time.Millisecond)
+
+	// Remaining client should still work
+	hub.Broadcast(map[string]interface{}{"type": "test2"})
+
+	conn2.SetReadDeadline(time.Now().Add(2 * time.Second))
+	_, msg3, err := conn2.ReadMessage()
+	if err != nil {
+		t.Fatalf("conn2 read error after disconnect: %v", err)
+	}
+	if len(msg3) == 0 {
+		t.Error("expected non-empty message")
+	}
+}
+
+func TestBroadcastFullBuffer(t *testing.T) {
+	hub := NewHub()
+
+	// Create a client with tiny buffer (1)
+	client := &Client{
+		send: make(chan []byte, 1),
+	}
+	hub.mu.Lock()
+	hub.clients[client] = true
+	hub.mu.Unlock()
+
+	// Fill the buffer
+	client.send <- []byte("first")
+
+	// This broadcast should drop the message (buffer full)
+	hub.Broadcast(map[string]interface{}{"type": "dropped"})
+
+	// Channel should still only have the first message
+	select {
+	case msg := <-client.send:
+		if string(msg) != "first" {
+			t.Errorf("expected 'first', got %s", string(msg))
+		}
+	default:
+		t.Error("expected message in channel")
+	}
+
+	// Clean up
+	hub.mu.Lock()
+	delete(hub.clients, client)
+	hub.mu.Unlock()
+}
+
+func TestBroadcastMarshalError(t *testing.T) {
+	hub := NewHub()
+
+	// Marshal error: functions can't be marshaled to JSON
+	hub.Broadcast(map[string]interface{}{"bad": func() {}})
+	// Should not panic — just log and return
+}
+
+func TestPollerBroadcastsNewData(t *testing.T) {
+	db := setupTestDB(t)
+	defer db.Close()
+	seedTestData(t, db)
+	hub := NewHub()
+
+	// Create a client to receive broadcasts
+	client := &Client{
+		send: make(chan []byte, 256),
+	}
+	hub.mu.Lock()
+	hub.clients[client] = true
+	hub.mu.Unlock()
+
+	poller := NewPoller(db, hub, 50*time.Millisecond)
+	go poller.Start()
+
+	// Insert new data to trigger broadcast
+	db.conn.Exec(`INSERT INTO transmissions (raw_hex, hash, first_seen, route_type, payload_type)
+		VALUES ('EEFF', 'newhash123456789', '2026-01-16T10:00:00Z', 1, 4)`)
+
+	time.Sleep(200 * time.Millisecond)
+	poller.Stop()
+
+	// Check if client received broadcast with packet field (fixes #162)
+	select {
+	case msg := <-client.send:
+		if len(msg) == 0 {
+			t.Error("expected non-empty broadcast message")
+		}
+		var parsed map[string]interface{}
+		if err := json.Unmarshal(msg, &parsed); err != nil {
+			t.Fatalf("failed to parse broadcast: %v", err)
+		}
+		if parsed["type"] != "packet" {
+			t.Errorf("expected type=packet, got %v", parsed["type"])
+		}
+		data, ok := parsed["data"].(map[string]interface{})
+		if !ok {
+			t.Fatal("expected data to be an object")
+		}
+		// packets.js filters on m.data.packet — must exist
+		pkt, ok := data["packet"]
+		if !ok || pkt == nil {
+			t.Error("expected data.packet to exist (required by packets.js WS handler)")
+		}
+		pktMap, ok := pkt.(map[string]interface{})
+		if !ok {
+			t.Fatal("expected data.packet to be an object")
+		}
+		// Verify key fields exist in nested packet (timestamp required by packets.js)
+		for _, field := range []string{"id", "hash", "payload_type", "timestamp"} {
+			if _, exists := pktMap[field]; !exists {
+				t.Errorf("expected data.packet.%s to exist", field)
+			}
+		}
+	default:
+		// Might not have received due to timing
+	}
+
+	// Clean up
+	hub.mu.Lock()
+	delete(hub.clients, client)
+	hub.mu.Unlock()
+}
+
+func TestPollerBroadcastsMultipleObservations(t *testing.T) {
+	db := setupTestDB(t)
+	defer db.Close()
+	seedTestData(t, db)
+	hub := NewHub()
+
+	client := &Client{
+		send: make(chan []byte, 256),
+	}
+	hub.mu.Lock()
+	hub.clients[client] = true
+	hub.mu.Unlock()
+	defer func() {
+		hub.mu.Lock()
+		delete(hub.clients, client)
+		hub.mu.Unlock()
+	}()
+
+	poller := NewPoller(db, hub, 50*time.Millisecond)
+	store := NewPacketStore(db)
+	if err := store.Load(); err != nil {
+		t.Fatalf("store load failed: %v", err)
+	}
+	poller.store = store
+	go poller.Start()
+	defer poller.Stop()
+
+	// Wait for poller to initialize its lastID/lastObsID cursors before
+	// inserting new data; otherwise the poller may snapshot a lastID that
+	// already includes the test data and never broadcast it.
+	time.Sleep(100 * time.Millisecond)
+
+	now := time.Now().UTC().Format(time.RFC3339)
+	if _, err := db.conn.Exec(`INSERT INTO transmissions (raw_hex, hash, first_seen, route_type, payload_type, decoded_json)
+		VALUES ('FACE', 'starbursthash237a', ?, 1, 4, '{"pubKey":"aabbccdd11223344","type":"ADVERT"}')`, now); err != nil {
+		t.Fatalf("insert tx failed: %v", err)
+	}
+	var txID int
+	if err := db.conn.QueryRow(`SELECT id FROM transmissions WHERE hash='starbursthash237a'`).Scan(&txID); err != nil {
+		t.Fatalf("query tx id failed: %v", err)
+	}
+	ts := time.Now().Unix()
+	if _, err := db.conn.Exec(`INSERT INTO observations (transmission_id, observer_idx, snr, rssi, path_json, timestamp)
+		VALUES (?, 1, 14.0, -82, '["aa"]', ?),
+		       (?, 2, 10.5, -90, '["aa","bb"]', ?),
+		       (?, 1, 7.0, -96, '["aa","bb","cc"]', ?)`,
+		txID, ts, txID, ts+1, txID, ts+2); err != nil {
+		t.Fatalf("insert observations failed: %v", err)
+	}
+
+	deadline := time.After(2 * time.Second)
+	var dataMsgs []map[string]interface{}
+	for len(dataMsgs) < 3 {
+		select {
+		case raw := <-client.send:
+			var parsed map[string]interface{}
+			if err := json.Unmarshal(raw, &parsed); err != nil {
+				t.Fatalf("unmarshal ws msg failed: %v", err)
+			}
+			if parsed["type"] != "packet" {
+				continue
+			}
+			data, ok := parsed["data"].(map[string]interface{})
+			if !ok {
+				continue
+			}
+			if data["hash"] == "starbursthash237a" {
+				dataMsgs = append(dataMsgs, data)
+			}
+		case <-deadline:
+			t.Fatalf("timed out waiting for 3 observation broadcasts, got %d", len(dataMsgs))
+		}
+	}
+
+	if len(dataMsgs) != 3 {
+		t.Fatalf("expected 3 messages, got %d", len(dataMsgs))
+	}
+
+	paths := make([]string, 0, 3)
+	observers := make(map[string]bool)
+	for _, m := range dataMsgs {
+		hash, _ := m["hash"].(string)
+		if hash != "starbursthash237a" {
+			t.Fatalf("unexpected hash %q", hash)
+		}
+		p, _ := m["path_json"].(string)
+		paths = append(paths, p)
+		if oid, ok := m["observer_id"].(string); ok && oid != "" {
+			observers[oid] = true
+		}
+	}
+	sort.Strings(paths)
+	wantPaths := []string{`["aa","bb","cc"]`, `["aa","bb"]`, `["aa"]`}
+	sort.Strings(wantPaths)
+	for i := range wantPaths {
+		if paths[i] != wantPaths[i] {
+			t.Fatalf("path mismatch at %d: got %q want %q", i, paths[i], wantPaths[i])
+		}
+	}
+	if len(observers) < 2 {
+		t.Fatalf("expected observations from >=2 observers, got %d", len(observers))
+	}
+}
+
+func TestIngestNewObservationsBroadcast(t *testing.T) {
+	db := setupTestDB(t)
+	defer db.Close()
+	seedTestData(t, db)
+	store := NewPacketStore(db)
+	if err := store.Load(); err != nil {
+		t.Fatalf("store load failed: %v", err)
+	}
+
+	maxObs := db.GetMaxObservationID()
+	now := time.Now().Unix()
+	if _, err := db.conn.Exec(`INSERT INTO observations (transmission_id, observer_idx, snr, rssi, path_json, timestamp)
+		VALUES (1, 2, 6.0, -100, '["aa","zz"]', ?),
+		       (1, 1, 5.0, -101, '["aa","yy"]', ?)`, now, now+1); err != nil {
+		t.Fatalf("insert new observations failed: %v", err)
+	}
+
+	maps := store.IngestNewObservations(maxObs, 500)
+	if len(maps) != 2 {
+		t.Fatalf("expected 2 broadcast maps, got %d", len(maps))
+	}
+	for _, m := range maps {
+		if m["hash"] != "abc123def4567890" {
+			t.Fatalf("unexpected hash in map: %v", m["hash"])
+		}
+		path, ok := m["path_json"].(string)
+		if !ok || path == "" {
+			t.Fatalf("missing path_json in map: %#v", m)
+		}
+		if _, ok := m["observer_id"]; !ok {
+			t.Fatalf("missing observer_id in map: %#v", m)
+		}
+	}
+}
+
+func TestHubRegisterUnregister(t *testing.T) {
+	hub := NewHub()
+
+	client := &Client{
+		send: make(chan []byte, 256),
+	}
+
+	hub.Register(client)
+	if hub.ClientCount() != 1 {
+		t.Errorf("expected 1 client after register, got %d", hub.ClientCount())
+	}
+
+	hub.Unregister(client)
+	if hub.ClientCount() != 0 {
+		t.Errorf("expected 0 clients after unregister, got %d", hub.ClientCount())
+	}
+
+	// Unregister again should be safe
+	hub.Unregister(client)
+	if hub.ClientCount() != 0 {
+		t.Errorf("expected 0 clients, got %d", hub.ClientCount())
+	}
+}

decoder.js

@@ -2,8 +2,8 @@
  * MeshCore Packet Decoder
  * Custom implementation — does NOT use meshcore-decoder library (known path_length bug).
  *
- * Packet layout:
- *   [header(1)] [pathLength(1)] [transportCodes?] [path hops] [payload...]
+ * Packet layout (per firmware docs/packet_format.md):
+ *   [header(1)] [transportCodes?(4)] [pathLength(1)] [path hops] [payload...]
  *
  * Header byte (LSB first):
  *   bits 1-0: routeType (0=TRANSPORT_FLOOD, 1=FLOOD, 2=DIRECT, 3=TRANSPORT_DIRECT)
@@ -42,7 +42,7 @@ const PAYLOAD_TYPES = {
   0x0F: 'RAW_CUSTOM',
 };
 
-// Route types that carry transport codes (nextHop + lastHop, 2 bytes each)
+// Route types that carry transport codes (2x uint16_t, 4 bytes total)
 const TRANSPORT_ROUTES = new Set([0, 3]); // TRANSPORT_FLOOD, TRANSPORT_DIRECT
 
 // --- Header parsing ---
@@ -94,13 +94,11 @@ function decodeEncryptedPayload(buf) {
   };
 }
 
-/** ACK: dest(1) + src(1) + ack_hash(4) (per Mesh.cpp) */
+/** ACK: checksum(4) — CRC of message timestamp + text + sender pubkey (per Mesh.cpp createAck) */
 function decodeAck(buf) {
-  if (buf.length < 6) return { error: 'too short', raw: buf.toString('hex') };
+  if (buf.length < 4) return { error: 'too short', raw: buf.toString('hex') };
   return {
-    destHash: buf.subarray(0, 1).toString('hex'),
-    srcHash: buf.subarray(1, 2).toString('hex'),
-    extraHash: buf.subarray(2, 6).toString('hex'),
+    ackChecksum: buf.subarray(0, 4).toString('hex'),
   };
 }
 
@@ -125,6 +123,8 @@ function decodeAdvert(buf) {
       room: advType === 3,
       sensor: advType === 4,
       hasLocation: !!(flags & 0x10),
+      hasFeat1: !!(flags & 0x20),
+      hasFeat2: !!(flags & 0x40),
       hasName: !!(flags & 0x80),
     };
 
@@ -134,6 +134,14 @@ function decodeAdvert(buf) {
       result.lon = appdata.readInt32LE(off + 4) / 1e6;
       off += 8;
     }
+    if (result.flags.hasFeat1 && appdata.length >= off + 2) {
+      result.feat1 = appdata.readUInt16LE(off);
+      off += 2;
+    }
+    if (result.flags.hasFeat2 && appdata.length >= off + 2) {
+      result.feat2 = appdata.readUInt16LE(off);
+      off += 2;
+    }
     if (result.flags.hasName) {
       // Find null terminator to separate name from trailing telemetry bytes
       let nameEnd = appdata.length;
@@ -231,7 +239,7 @@ function decodeGrpTxt(buf, channelKeys) {
   return { type: 'GRP_TXT', channelHash, channelHashHex, decryptionStatus: 'no_key', mac, encryptedData };
 }
 
-/** ANON_REQ: dest(6) + ephemeral_pubkey(32) + MAC(4) + encrypted */
+/** ANON_REQ: dest(1) + ephemeral_pubkey(32) + MAC(2) + encrypted */
 function decodeAnonReq(buf) {
   if (buf.length < 35) return { error: 'too short', raw: buf.toString('hex') };
   return {
@@ -242,7 +250,7 @@ function decodeAnonReq(buf) {
   };
 }
 
-/** PATH: dest(6) + src(6) + MAC(4) + path_data */
+/** PATH: dest(1) + src(1) + MAC(2) + path_data */
 function decodePath_payload(buf) {
   if (buf.length < 4) return { error: 'too short', raw: buf.toString('hex') };
   return {
@@ -253,14 +261,14 @@ function decodePath_payload(buf) {
   };
 }
 
-/** TRACE: flags(1) + tag(4) + dest(6) + src(1) */
+/** TRACE: tag(4) + authCode(4) + flags(1) + pathData (per Mesh.cpp onRecvPacket TRACE) */
 function decodeTrace(buf) {
-  if (buf.length < 12) return { error: 'too short', raw: buf.toString('hex') };
+  if (buf.length < 9) return { error: 'too short', raw: buf.toString('hex') };
   return {
-    flags: buf[0],
-    tag: buf.readUInt32LE(1),
-    destHash: buf.subarray(5, 11).toString('hex'),
-    srcHash: buf.subarray(11, 12).toString('hex'),
+    tag: buf.readUInt32LE(0),
+    authCode: buf.subarray(4, 8).toString('hex'),
+    flags: buf[8],
+    pathData: buf.subarray(9).toString('hex'),
   };
 }
 
@@ -289,20 +297,22 @@ function decodePacket(hexString, channelKeys) {
   if (buf.length < 2) throw new Error('Packet too short (need at least header + pathLength)');
 
   const header = decodeHeader(buf[0]);
-  const pathByte = buf[1];
-  let offset = 2;
+  let offset = 1;
 
-  // Transport codes for TRANSPORT_FLOOD / TRANSPORT_DIRECT
+  // Transport codes for TRANSPORT_FLOOD / TRANSPORT_DIRECT — BEFORE path_length per spec
   let transportCodes = null;
   if (TRANSPORT_ROUTES.has(header.routeType)) {
     if (buf.length < offset + 4) throw new Error('Packet too short for transport codes');
     transportCodes = {
-      nextHop: buf.subarray(offset, offset + 2).toString('hex').toUpperCase(),
-      lastHop: buf.subarray(offset + 2, offset + 4).toString('hex').toUpperCase(),
+      code1: buf.subarray(offset, offset + 2).toString('hex').toUpperCase(),
+      code2: buf.subarray(offset + 2, offset + 4).toString('hex').toUpperCase(),
     };
     offset += 4;
   }
 
+  // Path length byte — AFTER transport codes per spec
+  const pathByte = buf[offset++];
+
   // Path
   const path = decodePath(pathByte, buf, offset);
   offset += path.bytesConsumed;
@@ -386,7 +396,7 @@ module.exports = { decodePacket, validateAdvert, hasNonPrintableChars, ROUTE_TYP
 
 // --- Tests ---
 if (require.main === module) {
-  console.log('=== Test 1: ADVERT, FLOOD, 5 hops (2-byte hashes), "Test Repeater" ===');
+  console.log('=== Test 1: ADVERT, FLOOD, 5 hops (2-byte hashes), "Kpa Roof Solar" ===');
   const pkt1 = decodePacket(
     '11451000D818206D3AAC152C8A91F89957E6D30CA51F36E28790228971C473B755F244F718754CF5EE4A2FD58D944466E42CDED140C66D0CC590183E32BAF40F112BE8F3F2BDF6012B4B2793C52F1D36F69EE054D9A05593286F78453E56C0EC4A3EB95DDA2A7543FCCC00B939CACC009278603902FC12BCF84B706120526F6F6620536F6C6172'
   );
@@ -402,7 +412,7 @@ if (require.main === module) {
   assert(pkt1.path.hops[0] === '1000', 'first hop should be 1000');
   assert(pkt1.path.hops[1] === 'D818', 'second hop should be D818');
   assert(pkt1.transportCodes === null, 'FLOOD has no transport codes');
-  assert(pkt1.payload.name === 'Test Repeater', 'name should be "Test Repeater"');
+  assert(pkt1.payload.name === 'Kpa Roof Solar', 'name should be "Kpa Roof Solar"');
   console.log('✅ Test 1 passed\n');
 
   console.log('=== Test 2: ADVERT, FLOOD, 0 hops (zero-path) ===');

docker-compose.yml

@@ -5,9 +5,12 @@
 
 services:
   prod:
+    build: .
     image: corescope:latest
     container_name: corescope-prod
     restart: unless-stopped
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
     ports:
       - "${PROD_HTTP_PORT:-80}:${PROD_HTTP_PORT:-80}"
       - "${PROD_HTTPS_PORT:-443}:${PROD_HTTPS_PORT:-443}"
@@ -26,9 +29,12 @@ services:
       retries: 3
 
   staging:
+    build: .
     image: corescope:latest
     container_name: corescope-staging
     restart: unless-stopped
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
     ports:
       - "${STAGING_HTTP_PORT:-81}:${STAGING_HTTP_PORT:-81}"
       - "${STAGING_MQTT_PORT:-1884}:1883"
@@ -57,6 +63,8 @@ services:
     image: corescope-go:latest
     container_name: corescope-staging-go
     restart: unless-stopped
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
     ports:
       - "${STAGING_GO_HTTP_PORT:-82}:80"
       - "${STAGING_GO_MQTT_PORT:-1885}:1883"

docs/rename-migration.md

@@ -0,0 +1,101 @@
+# CoreScope Migration Guide
+
+MeshCore Analyzer has been renamed to **CoreScope**. This document covers what you need to update.
+
+## What Changed
+
+- **Repository name**: `meshcore-analyzer` → `corescope`
+- **Docker image name**: `meshcore-analyzer:latest` → `corescope:latest`
+- **Docker container prefixes**: `meshcore-*` → `corescope-*`
+- **Default site name**: "MeshCore Analyzer" → "CoreScope"
+
+## What Did NOT Change
+
+- **Data directories** — `~/meshcore-data/` stays as-is
+- **Database filename** — `meshcore.db` is unchanged
+- **MQTT topics** — `meshcore/#` topics are protocol-level and unchanged
+- **Browser state** — Favorites, localStorage keys, and settings are preserved
+- **Config file format** — `config.json` structure is the same
+
+---
+
+## 1. Git Remote Update
+
+Update your local clone to point to the new repository URL:
+
+```bash
+git remote set-url origin https://github.com/Kpa-clawbot/corescope.git
+git pull
+```
+
+## 2. Docker (manage.sh) Users
+
+Rebuild with the new image name:
+
+```bash
+./manage.sh stop
+git pull
+./manage.sh setup
+```
+
+The new image is `corescope:latest`. You can clean up the old image:
+
+```bash
+docker rmi meshcore-analyzer:latest
+```
+
+## 3. Docker Compose Users
+
+Rebuild containers with the new names:
+
+```bash
+docker compose down
+git pull
+docker compose build
+docker compose up -d
+```
+
+Container names change from `meshcore-*` to `corescope-*`. Old containers are removed by `docker compose down`.
+
+## 4. Data Directories
+
+**No action required.** The data directory `~/meshcore-data/` and database file `meshcore.db` are unchanged. Your existing data carries over automatically.
+
+## 5. Config
+
+If you customized `branding.siteName` in your `config.json`, update it to your preferred name. Otherwise the new default "CoreScope" applies automatically.
+
+No other config keys changed.
+
+## 6. MQTT
+
+**No action required.** MQTT topics (`meshcore/#`) are protocol-level and are not affected by the rename.
+
+## 7. Browser
+
+**No action required.** Bookmarks/favorites will continue to work at the same host and port. localStorage keys are unchanged, so your settings and preferences are preserved.
+
+## 8. CI/CD
+
+If you have custom CI/CD pipelines that reference:
+
+- The old repository URL (`meshcore-analyzer`)
+- The old Docker image name (`meshcore-analyzer:latest`)
+- Old container names (`meshcore-*`)
+
+Update those references to use the new names.
+
+---
+
+## Summary Checklist
+
+| Item | Action Required? | What to Do |
+|------|-----------------|------------|
+| Git remote | ✅ Yes | `git remote set-url origin …corescope.git` |
+| Docker image | ✅ Yes | Rebuild; optionally `docker rmi` old image |
+| Docker Compose | ✅ Yes | `docker compose down && build && up` |
+| Data directories | ❌ No | Unchanged |
+| Config | ⚠️ Maybe | Only if you customized `branding.siteName` |
+| MQTT | ❌ No | Topics unchanged |
+| Browser | ❌ No | Settings preserved |
+| CI/CD | ⚠️ Maybe | Update if referencing old repo/image names |

public/index.html

@@ -22,9 +22,9 @@
   <meta name="twitter:title" content="CoreScope">
   <meta name="twitter:description" content="Real-time MeshCore LoRa mesh network analyzer — live packet visualization, node tracking, channel decryption, and route analysis.">
   <meta name="twitter:image" content="https://raw.githubusercontent.com/Kpa-clawbot/corescope/master/public/og-image.png">
-  <link rel="stylesheet" href="style.css?v=1774731523">
-  <link rel="stylesheet" href="home.css?v=1774731523">
-  <link rel="stylesheet" href="live.css?v=1774731523">
+  <link rel="stylesheet" href="style.css?v=1774786038">
+  <link rel="stylesheet" href="home.css?v=1774786038">
+  <link rel="stylesheet" href="live.css?v=1774786038">
   <link rel="stylesheet" href="https://unpkg.com/leaflet@1.9.4/dist/leaflet.css"
     integrity="sha256-p4NxAoJBhIIN+hmNHrzRCf9tD/miZyoHS5obTRR9BMY="
     crossorigin="anonymous">
@@ -81,29 +81,29 @@
   <main id="app" role="main"></main>
 
   <script src="vendor/qrcode.js"></script>
-  <script src="roles.js?v=1774731523"></script>
-  <script src="customize.js?v=1774731523" onerror="console.error('Failed to load:', this.src)"></script>
-  <script src="region-filter.js?v=1774731523"></script>
-  <script src="hop-resolver.js?v=1774731523"></script>
-  <script src="hop-display.js?v=1774731523"></script>
-  <script src="app.js?v=1774731523"></script>
-  <script src="home.js?v=1774731523"></script>
-  <script src="packet-filter.js?v=1774731523"></script>
-  <script src="packets.js?v=1774731523"></script>
-  <script src="map.js?v=1774731523" onerror="console.error('Failed to load:', this.src)"></script>
-  <script src="channels.js?v=1774731523" onerror="console.error('Failed to load:', this.src)"></script>
-  <script src="nodes.js?v=1774731523" onerror="console.error('Failed to load:', this.src)"></script>
-  <script src="traces.js?v=1774731523" onerror="console.error('Failed to load:', this.src)"></script>
-  <script src="analytics.js?v=1774731523" onerror="console.error('Failed to load:', this.src)"></script>
-  <script src="audio.js?v=1774731523" onerror="console.error('Failed to load:', this.src)"></script>
-  <script src="audio-v1-constellation.js?v=1774731523" onerror="console.error('Failed to load:', this.src)"></script>
-  <script src="audio-v2-constellation.js?v=1774731523" onerror="console.error('Failed to load:', this.src)"></script>
-  <script src="audio-lab.js?v=1774731523" onerror="console.error('Failed to load:', this.src)"></script>
-  <script src="live.js?v=1774731523" onerror="console.error('Failed to load:', this.src)"></script>
-  <script src="observers.js?v=1774731523" onerror="console.error('Failed to load:', this.src)"></script>
-  <script src="observer-detail.js?v=1774731523" onerror="console.error('Failed to load:', this.src)"></script>
-  <script src="compare.js?v=1774731523" onerror="console.error('Failed to load:', this.src)"></script>
-  <script src="node-analytics.js?v=1774731523" onerror="console.error('Failed to load:', this.src)"></script>
-  <script src="perf.js?v=1774731523" onerror="console.error('Failed to load:', this.src)"></script>
+  <script src="roles.js?v=1774786038"></script>
+  <script src="customize.js?v=1774786038" onerror="console.error('Failed to load:', this.src)"></script>
+  <script src="region-filter.js?v=1774786038"></script>
+  <script src="hop-resolver.js?v=1774786038"></script>
+  <script src="hop-display.js?v=1774786038"></script>
+  <script src="app.js?v=1774786038"></script>
+  <script src="home.js?v=1774786038"></script>
+  <script src="packet-filter.js?v=1774786038"></script>
+  <script src="packets.js?v=1774786038"></script>
+  <script src="map.js?v=1774786038" onerror="console.error('Failed to load:', this.src)"></script>
+  <script src="channels.js?v=1774786038" onerror="console.error('Failed to load:', this.src)"></script>
+  <script src="nodes.js?v=1774786038" onerror="console.error('Failed to load:', this.src)"></script>
+  <script src="traces.js?v=1774786038" onerror="console.error('Failed to load:', this.src)"></script>
+  <script src="analytics.js?v=1774786038" onerror="console.error('Failed to load:', this.src)"></script>
+  <script src="audio.js?v=1774786038" onerror="console.error('Failed to load:', this.src)"></script>
+  <script src="audio-v1-constellation.js?v=1774786038" onerror="console.error('Failed to load:', this.src)"></script>
+  <script src="audio-v2-constellation.js?v=1774786038" onerror="console.error('Failed to load:', this.src)"></script>
+  <script src="audio-lab.js?v=1774786038" onerror="console.error('Failed to load:', this.src)"></script>
+  <script src="live.js?v=1774786038" onerror="console.error('Failed to load:', this.src)"></script>
+  <script src="observers.js?v=1774786038" onerror="console.error('Failed to load:', this.src)"></script>
+  <script src="observer-detail.js?v=1774786038" onerror="console.error('Failed to load:', this.src)"></script>
+  <script src="compare.js?v=1774786038" onerror="console.error('Failed to load:', this.src)"></script>
+  <script src="node-analytics.js?v=1774786038" onerror="console.error('Failed to load:', this.src)"></script>
+  <script src="perf.js?v=1774786038" onerror="console.error('Failed to load:', this.src)"></script>
 </body>
 </html>

public/packets.js

@@ -1512,14 +1512,12 @@
       rows += fieldRow(off + 1, 'Sender', decoded.sender || '—', '');
       if (decoded.sender_timestamp) rows += fieldRow(off + 2, 'Sender Time', decoded.sender_timestamp, '');
     } else if (decoded.type === 'ACK') {
-      rows += fieldRow(off, 'Dest Hash (6B)', decoded.destHash || '', '');
-      rows += fieldRow(off + 6, 'Src Hash (6B)', decoded.srcHash || '', '');
-      rows += fieldRow(off + 12, 'Extra (6B)', decoded.extraHash || '', '');
+      rows += fieldRow(off, 'Checksum (4B)', decoded.ackChecksum || '', '');
     } else if (decoded.destHash !== undefined) {
-      rows += fieldRow(off, 'Dest Hash (6B)', decoded.destHash || '', '');
-      rows += fieldRow(off + 6, 'Src Hash (6B)', decoded.srcHash || '', '');
-      rows += fieldRow(off + 12, 'MAC (4B)', decoded.mac || '', '');
-      rows += fieldRow(off + 16, 'Encrypted Data', truncate(decoded.encryptedData || '', 30), '');
+      rows += fieldRow(off, 'Dest Hash (1B)', decoded.destHash || '', '');
+      rows += fieldRow(off + 1, 'Src Hash (1B)', decoded.srcHash || '', '');
+      rows += fieldRow(off + 2, 'MAC (2B)', decoded.mac || '', '');
+      rows += fieldRow(off + 4, 'Encrypted Data', truncate(decoded.encryptedData || '', 30), '');
     } else {
       rows += fieldRow(off, 'Raw', truncate(buf.slice(off * 2), 40), '');
     }

public/perf.js

@@ -40,12 +40,12 @@
           html += `<h3>🔧 Go Runtime</h3><div style="display:flex;gap:16px;flex-wrap:wrap;margin:8px 0;">
             <div class="perf-card"><div class="perf-num">${gr.goroutines}</div><div class="perf-label">Goroutines</div></div>
             <div class="perf-card"><div class="perf-num">${gr.numGC}</div><div class="perf-label">GC Collections</div></div>
-            <div class="perf-card"><div class="perf-num" style="color:${gcColor}">${gr.pauseTotalMs}ms</div><div class="perf-label">GC Pause Total</div></div>
-            <div class="perf-card"><div class="perf-num">${gr.lastPauseMs}ms</div><div class="perf-label">Last GC Pause</div></div>
-            <div class="perf-card"><div class="perf-num">${gr.heapAllocMB}MB</div><div class="perf-label">Heap Alloc</div></div>
-            <div class="perf-card"><div class="perf-num">${gr.heapSysMB}MB</div><div class="perf-label">Heap Sys</div></div>
-            <div class="perf-card"><div class="perf-num">${gr.heapInuseMB}MB</div><div class="perf-label">Heap Inuse</div></div>
-            <div class="perf-card"><div class="perf-num">${gr.heapIdleMB}MB</div><div class="perf-label">Heap Idle</div></div>
+            <div class="perf-card"><div class="perf-num" style="color:${gcColor}">${(+gr.pauseTotalMs).toFixed(1)}ms</div><div class="perf-label">GC Pause Total</div></div>
+            <div class="perf-card"><div class="perf-num">${(+gr.lastPauseMs).toFixed(1)}ms</div><div class="perf-label">Last GC Pause</div></div>
+            <div class="perf-card"><div class="perf-num">${(+gr.heapAllocMB).toFixed(1)}MB</div><div class="perf-label">Heap Alloc</div></div>
+            <div class="perf-card"><div class="perf-num">${(+gr.heapSysMB).toFixed(1)}MB</div><div class="perf-label">Heap Sys</div></div>
+            <div class="perf-card"><div class="perf-num">${(+gr.heapInuseMB).toFixed(1)}MB</div><div class="perf-label">Heap Inuse</div></div>
+            <div class="perf-card"><div class="perf-num">${(+gr.heapIdleMB).toFixed(1)}MB</div><div class="perf-label">Heap Idle</div></div>
             <div class="perf-card"><div class="perf-num">${gr.numCPU}</div><div class="perf-label">CPUs</div></div>
             <div class="perf-card"><div class="perf-num">${health.websocket.clients}</div><div class="perf-label">WS Clients</div></div>
           </div>`;

public/style.css

@@ -155,7 +155,7 @@ a:focus-visible, button:focus-visible, input:focus-visible, select:focus-visible
 /* === Nav Stats === */
 .nav-stats {
   display: flex; gap: 12px; align-items: center; font-size: 12px; color: var(--nav-text-muted);
-  font-family: var(--mono); margin-right: 4px;
+  font-family: var(--mono); margin-right: 4px; white-space: nowrap;
 }
 .nav-stats .stat-val { color: var(--nav-text); font-weight: 600; transition: color 0.3s ease; }
 .nav-stats .stat-val.updated { color: var(--accent); }

server.js

@@ -207,6 +207,13 @@ class TTLCache {
       if (key.startsWith(prefix)) this.store.delete(key);
     }
   }
+  debouncedInvalidateBulkHealth() {
+    if (this._bulkHealthTimer) return;
+    this._bulkHealthTimer = setTimeout(() => {
+      this._bulkHealthTimer = null;
+      this.invalidate('bulk-health');
+    }, 30000);
+  }
   debouncedInvalidateAll() {
     if (this._debounceTimer) return;
     this._debounceTimer = setTimeout(() => {
@@ -410,7 +417,7 @@ app.get('/api/perf', (req, res) => {
     avgMs: perfStats.requests ? Math.round(perfStats.totalMs / perfStats.requests * 10) / 10 : 0,
     endpoints: Object.fromEntries(sorted),
     slowQueries: perfStats.slowQueries.slice(-20),
-    cache: { size: cache.size, hits: cache.hits, misses: cache.misses, staleHits: cache.staleHits, recomputes: cache.recomputes, hitRate: cache.hits + cache.misses > 0 ? Math.round(cache.hits / (cache.hits + cache.misses) * 1000) / 10 : 0 },
+    cache: { size: cache.size, hits: cache.hits, misses: cache.misses, staleHits: cache.staleHits, recomputes: cache.recomputes, hitRate: cache.hits + cache.staleHits + cache.misses > 0 ? Math.round((cache.hits + cache.staleHits) / (cache.hits + cache.staleHits + cache.misses) * 1000) / 10 : 0 },
     packetStore: pktStore.getStats(),
     sqlite: (() => {
       try {
@@ -519,7 +526,7 @@ app.get('/api/health', (req, res) => {
       misses: cache.misses,
       staleHits: cache.staleHits,
       recomputes: cache.recomputes,
-      hitRate: cache.hits + cache.misses > 0 ? Math.round(cache.hits / (cache.hits + cache.misses) * 1000) / 10 : 0,
+      hitRate: cache.hits + cache.staleHits + cache.misses > 0 ? Math.round((cache.hits + cache.staleHits) / (cache.hits + cache.staleHits + cache.misses) * 1000) / 10 : 0,
     },
     websocket: {
       clients: wsClients,
@@ -723,7 +730,7 @@ for (const source of mqttSources) {
             // Invalidate this node's caches on advert
             cache.invalidate('node:' + p.pubKey);
             cache.invalidate('health:' + p.pubKey);
-            cache.invalidate('bulk-health');
+            cache.debouncedInvalidateBulkHealth();
 
             // Cross-reference: if this node's pubkey matches an existing observer, backfill observer name
             if (p.name && p.pubKey) {

test-decoder-spec.js

@@ -122,13 +122,14 @@ console.log('── Spec Tests: Transport Codes ──');
 
 {
   // Route type 0 (TRANSPORT_FLOOD) and 3 (TRANSPORT_DIRECT) should have 4-byte transport codes
-  // Route type 0: header byte = 0bPPPPPP00, e.g. 0x14 = payloadType 5 (GRP_TXT), routeType 0
-  const hex = '1400' + 'AABB' + 'CCDD' + '1A' + '00'.repeat(10); // transport codes + GRP_TXT payload
+  // Route type 0: header=0x14 = payloadType 5 (GRP_TXT), routeType 0 (TRANSPORT_FLOOD)
+  // Format: header(1) + transportCodes(4) + pathByte(1) + payload
+  const hex = '14' + 'AABB' + 'CCDD' + '00' + '1A' + '00'.repeat(10); // transport codes + pathByte + GRP_TXT payload
   const p = decodePacket(hex);
   assertEq(p.header.routeType, 0, 'transport: routeType=0 (TRANSPORT_FLOOD)');
   assert(p.transportCodes !== null, 'transport: transportCodes present for TRANSPORT_FLOOD');
-  assertEq(p.transportCodes.nextHop, 'AABB', 'transport: nextHop');
-  assertEq(p.transportCodes.lastHop, 'CCDD', 'transport: lastHop');
+  assertEq(p.transportCodes.code1, 'AABB', 'transport: code1');
+  assertEq(p.transportCodes.code2, 'CCDD', 'transport: code2');
 }
 
 {
@@ -257,13 +258,13 @@ console.log('── Spec Tests: Advert Payload ──');
 
 console.log('── Spec Tests: Encrypted Payload Format ──');
 
-// NOTE: Spec says v1 encrypted payloads have dest(1) + src(1) + MAC(2) + ciphertext
-// But decoder reads dest(6) + src(6) + MAC(4) + ciphertext
-// This is a known discrepancy — the decoder matches production behavior, not the spec.
-// The spec may describe the firmware's internal addressing while the OTA format differs,
-// or the decoder may be parsing the fields differently. Production data validates the decoder.
+// Spec says v1 encrypted payloads: dest(1)+src(1)+MAC(2)+cipher — decoder matches this.
 {
-  note('Spec says v1 encrypted payloads: dest(1)+src(1)+MAC(2)+cipher, but decoder reads dest(6)+src(6)+MAC(4)+cipher — decoder matches prod data');
+  const hex = '0100' + 'AA' + 'BB' + 'CCDD' + '00'.repeat(10);
+  const p = decodePacket(hex);
+  assertEq(p.payload.destHash, 'aa', 'encrypted payload: dest is 1 byte');
+  assertEq(p.payload.srcHash, 'bb', 'encrypted payload: src is 1 byte');
+  assertEq(p.payload.mac, 'ccdd', 'encrypted payload: MAC is 2 bytes');
 }
 
 console.log('── Spec Tests: validateAdvert ──');

test-decoder.js

@@ -28,22 +28,22 @@ test('FLOOD + ADVERT = 0x11', () => {
 });
 
 test('TRANSPORT_FLOOD = routeType 0', () => {
-  // 0x00 = TRANSPORT_FLOOD + REQ(0), needs transport codes + 16 byte payload
-  const hex = '0000' + 'AABB' + 'CCDD' + '00'.repeat(16);
+  // header=0x00 (TRANSPORT_FLOOD + REQ), transportCodes=AABB+CCDD, pathByte=0x00, payload
+  const hex = '00' + 'AABB' + 'CCDD' + '00' + '00'.repeat(16);
   const p = decodePacket(hex);
   assert.strictEqual(p.header.routeType, 0);
   assert.strictEqual(p.header.routeTypeName, 'TRANSPORT_FLOOD');
   assert.notStrictEqual(p.transportCodes, null);
-  assert.strictEqual(p.transportCodes.nextHop, 'AABB');
-  assert.strictEqual(p.transportCodes.lastHop, 'CCDD');
+  assert.strictEqual(p.transportCodes.code1, 'AABB');
+  assert.strictEqual(p.transportCodes.code2, 'CCDD');
 });
 
 test('TRANSPORT_DIRECT = routeType 3', () => {
-  const hex = '0300' + '1122' + '3344' + '00'.repeat(16);
+  const hex = '03' + '1122' + '3344' + '00' + '00'.repeat(16);
   const p = decodePacket(hex);
   assert.strictEqual(p.header.routeType, 3);
   assert.strictEqual(p.header.routeTypeName, 'TRANSPORT_DIRECT');
-  assert.strictEqual(p.transportCodes.nextHop, '1122');
+  assert.strictEqual(p.transportCodes.code1, '1122');
 });
 
 test('DIRECT = routeType 2, no transport codes', () => {
@@ -358,9 +358,7 @@ test('ACK decode', () => {
   const hex = '0D00' + '00'.repeat(18);
   const p = decodePacket(hex);
   assert.strictEqual(p.payload.type, 'ACK');
-  assert(p.payload.destHash);
-  assert(p.payload.srcHash);
-  assert(p.payload.extraHash);
+  assert(p.payload.ackChecksum);
 });
 
 test('ACK too short', () => {
@@ -424,9 +422,9 @@ test('TRACE decode', () => {
   const hex = '2500' + '00'.repeat(12);
   const p = decodePacket(hex);
   assert.strictEqual(p.payload.type, 'TRACE');
-  assert.strictEqual(p.payload.flags, 0);
   assert(p.payload.tag !== undefined);
-  assert(p.payload.destHash);
+  assert(p.payload.authCode !== undefined);
+  assert.strictEqual(p.payload.flags, 0);
 });
 
 test('TRACE too short', () => {
@@ -460,16 +458,18 @@ test('Transport route too short throws', () => {
   assert.throws(() => decodePacket('0000'), /too short for transport/);
 });
 
-test('Corrupt packet #183 — path overflow capped to buffer', () => {
+test('Corrupt packet #183 — TRANSPORT_DIRECT with correct field order', () => {
   const hex = 'BBAD6797EC8751D500BF95A1A776EF580E665BCBF6A0BBE03B5E730707C53489B8C728FD3FB902397197E1263CEC21E52465362243685DBBAD6797EC8751C90A75D9FD8213155D';
   const p = decodePacket(hex);
   assert.strictEqual(p.header.routeType, 3, 'routeType should be TRANSPORT_DIRECT');
   assert.strictEqual(p.header.payloadTypeName, 'UNKNOWN');
-  // pathByte 0xAD claims 45 hops × 3 bytes = 135, but only 65 bytes available
+  // transport codes are bytes 1-4, pathByte=0x87 at byte 5
+  assert.strictEqual(p.transportCodes.code1, 'AD67');
+  assert.strictEqual(p.transportCodes.code2, '97EC');
+  // pathByte 0x87: hashSize=3, hashCount=7
   assert.strictEqual(p.path.hashSize, 3);
-  assert.strictEqual(p.path.hashCount, 21, 'hashCount capped to fit buffer');
-  assert.strictEqual(p.path.hops.length, 21);
-  assert.strictEqual(p.path.truncated, true);
+  assert.strictEqual(p.path.hashCount, 7);
+  assert.strictEqual(p.path.hops.length, 7);
   // No empty strings in hops
   assert(p.path.hops.every(h => h.length > 0), 'no empty hops');
 });

test-server-routes.js

@@ -1254,6 +1254,24 @@ seedTestData();
     lastPathSeenMap.delete(liveNode);
   });
 
+  // ── Cache hit rate includes stale hits ──
+  await t('Cache hitRate includes staleHits in formula', async () => {
+    cache.clear();
+    cache.hits = 0;
+    cache.misses = 0;
+    cache.staleHits = 0;
+    // Simulate: 3 hits, 2 stale hits, 5 misses => rate = (3+2)/(3+2+5) = 50%
+    cache.hits = 3;
+    cache.staleHits = 2;
+    cache.misses = 5;
+    const r = await request(app).get('/api/health').expect(200);
+    assert(r.body.cache.hitRate === 50, 'hitRate should be (hits+staleHits)/(hits+staleHits+misses) = 50%, got ' + r.body.cache.hitRate);
+    // Reset
+    cache.hits = 0;
+    cache.misses = 0;
+    cache.staleHits = 0;
+  });
+
   // ── Summary ──
   console.log(`\n═══ Server Route Tests: ${passed} passed, ${failed} failed ═══`);
   if (failed > 0) process.exit(1);