fix: align packet decoder with MeshCore firmware spec

Compared decoder.js against the MeshCore firmware source (Dispatcher.cpp,
Packet.h, Mesh.cpp, AdvertDataHelpers.h) and fixed all mismatches:

1. Field order: transport codes now parsed BEFORE path_length byte,
   matching the spec: [header][transport_codes?][path_length][path][payload]

2. ACK payload: was incorrectly decoded as dest(1)+src(1)+ackHash(4).
   Firmware shows ACK is just checksum(4) — no dest/src hashes.

3. TRACE payload: was incorrectly decoded as flags(1)+tag(4)+dest(6)+src(1).
   Firmware shows tag(4)+authCode(4)+flags(1)+pathData.

4. ADVERT appdata: added missing feature1 (0x20 flag) and feature2
   (0x40 flag) parsing — 2-byte fields between location and name.

5. Transport code field naming: renamed nextHop/lastHop to code1/code2
   to match spec terminology (transport_code_1/transport_code_2).

6. Fixed incorrect field size labels in packets.js hex breakdown:
   dest/src are 1 byte, MAC is 2 bytes (not 6B/6B/4B).

7. Fixed ANON_REQ/PATH comment typos (dest was listed as 6 bytes,
   MAC as 4 bytes — both wrong, code was already correct).

All 329 tests pass (66 decoder + 263 spec/golden).

.github/workflows/deploy.yml

@@ -17,7 +17,7 @@ on:
       - 'docs/**'
 
 concurrency:
-  group: deploy
+  group: deploy-${{ github.event.pull_request.number || github.ref }}
   cancel-in-progress: true
 
 env:
@@ -122,6 +122,13 @@ jobs:
           echo "| Server | ${SERVER_COV}% |" >> $GITHUB_STEP_SUMMARY
           echo "| Ingestor | ${INGESTOR_COV}% |" >> $GITHUB_STEP_SUMMARY
 
+      - name: Cancel workflow on failure
+        if: failure()
+        run: |
+          curl -s -X POST \
+            -H "Authorization: Bearer ${{ github.token }}" \
+            "https://api.github.com/repos/${{ github.repository }}/actions/runs/${{ github.run_id }}/cancel"
+
       - name: Upload Go coverage badges
         if: always()
         uses: actions/upload-artifact@v4
@@ -263,6 +270,13 @@ jobs:
           BASE_URL=http://localhost:13581 node test-e2e-playwright.js || true
           kill $SERVER_PID 2>/dev/null || true
 
+      - name: Cancel workflow on failure
+        if: failure()
+        run: |
+          curl -s -X POST \
+            -H "Authorization: Bearer ${{ github.token }}" \
+            "https://api.github.com/repos/${{ github.repository }}/actions/runs/${{ github.run_id }}/cancel"
+
       - name: Upload Node.js test badges
         if: always()
         uses: actions/upload-artifact@v4
@@ -278,7 +292,7 @@ jobs:
   build:
     name: "🏗️ Build Docker Image"
     if: github.event_name == 'push'
-    needs: [go-test]
+    needs: [go-test, node-test]
     runs-on: self-hosted
     steps:
       - name: Checkout code

RELEASE-v3.1.0.md

@@ -0,0 +1,144 @@
+# v3.1.0 — Now It's CoreScope
+
+MeshCore Analyzer has a new name: **CoreScope**. Same mesh analysis you rely on, sharper identity, and a boatload of fixes and performance wins since v3.0.0.
+
+48 commits, 30+ issues closed. Here's what changed.
+
+---
+
+## 🏷️ Renamed to CoreScope
+
+The project is now **CoreScope** — frontend, backend, Docker images, manage.sh, docs, CI — everything has been updated. The URL, the API, the database, and your config all stay the same. Just a better name for the tool the community built.
+
+---
+
+## ⚡ Performance
+
+| What | Before | After |
+|------|--------|-------|
+| Subpath analytics | 900 ms | **5 ms** (precomputed at ingest) |
+| Distance analytics | 1.2 s | **15 ms** (precomputed at ingest) |
+| Packet ingest (prepend) | O(n) slice copy | **O(1) append** |
+| Go runtime stats | GC stop-the-world on every call | **cached ReadMemStats** |
+| All analytics endpoints | computed per-request | **TTL-cached** |
+
+The in-memory store now precomputes subpaths and distance data as packets arrive, eliminating expensive full-table scans on the analytics endpoints. The O(n) slice prepend on every ingest — the single hottest line in the server — is gone. `ReadMemStats` calls are cached to prevent GC pause spikes under load.
+
+---
+
+## 🆕 New Features
+
+### Telemetry Decode
+Sensor nodes now report **battery voltage** and **temperature** parsed from advert payloads. Telemetry is gated on the sensor flag — only real sensors emit data, and 0°C is no longer falsely reported. Safe migration with `PRAGMA` column checks.
+
+### Channel Decryption for Custom Channels
+The `hashChannels` config now works in the Go ingestor. Key derivation has been ported from Node.js with full AES-128-ECB support and garbage text detection — wrong keys silently fail instead of producing garbled output.
+
+### Node Pruning
+Stale nodes are automatically moved to an `inactive_nodes` table after the configurable retention window. Pruning runs hourly. Your active node list stays clean. (#202)
+
+### Duplicate Node Name Badges
+Nodes with the same display name but different public keys are flagged with a badge so you can spot collisions instantly.
+
+### Sortable Channels Table
+Channel columns are now sortable with click-to-sort headers. Sort preferences persist in `localStorage` across sessions. (#167)
+
+### Go Runtime Metrics
+The performance page exposes goroutine count, heap allocation, GC pause percentiles, and memory breakdown when connected to a Go backend.
+
+---
+
+## 🐛 Bug Fixes
+
+- **Channel decryption regression** (#176) — full AES-128-ECB in Go, garbage text detection, hashChannels key derivation ported correctly (#218)
+- **Packets page not live-updating** (#172) — WebSocket broadcast now includes the nested packet object and timestamp fields the frontend expects; multiple fixes across broadcast and render paths
+- **Node detail page crashes** (#190) — `Number()` casts and `Array.isArray` guards prevent rendering errors on unexpected data shapes
+- **Observation count staleness** (#174) — trace page and packet detail now show correct observation counts
+- **Phantom node cleanup** (#133) — `autoLearnHopNodes` no longer creates fake nodes from 1-byte repeater IDs
+- **Advert count inflation** (#200) — counts unique transmissions, not total observations (8 observers × 1 advert = 1, not 8)
+- **SQLite BUSY contention** (#214) — `MaxOpenConns(1)` + `MaxIdleConns(1)` serializes writes; load-tested under concurrent ingest
+- **Decoder bounds check** (#183) — corrupt/malformed packets no longer crash the decoder with buffer overruns
+- **noise_floor / battery_mv type mismatches** — consistent `float64` scanning handles SQLite REAL values correctly
+- **packetsLastHour always zero** (#182) — early `break` in observer loop prevented counting
+- **Channels stale messages** (#171) — latest message sorted by observation timestamp, not first-seen
+- **pprof port conflict** — non-fatal bind with separate ports prevents Go server crash on startup
+
+---
+
+## ♿ Accessibility & 📱 Mobile
+
+### WCAG AA Compliance (10 fixes)
+- Search results keyboard-accessible with `tabindex`, `role`, and arrow-key navigation (#208)
+- 40+ table headers given `scope` attributes (#211)
+- 9 Chart.js canvases given accessible names (#210)
+- Form inputs in customizer/filters paired with labels (#212)
+
+### Mobile Responsive
+- **Live page**: bottom-sheet panel instead of full-screen overlay (#203)
+- **Perf page**: responsive layout with stacked cards (#204)
+- **Nodes table**: column hiding at narrow viewports (#205)
+- **Analytics/Compare**: horizontal scroll wrappers (#206)
+- **VCR bar**: 44px minimum touch targets (#207)
+
+---
+
+## 🏗️ Infrastructure
+
+### manage.sh Refactored (#230)
+`manage.sh` is now a thin wrapper around `docker compose` — no custom container management, no divergent logic. It reads `.env` for data paths, matching how `docker-compose.yml` works. One source of truth.
+
+### .env Support
+Data directory, ports, and image tags are configured via `.env`. Both `docker compose` and `manage.sh` read the same file.
+
+### Branch Protection & CI on PRs
+- Branch protection enabled on `master` — CI must pass, PRs required
+- CI now triggers on `pull_request`, not just `push` — catch failures before merge (#199)
+
+### Protobuf API Contract
+10 `.proto` files, 33 golden fixtures, CI validation on every push. API shape drift is caught automatically.
+
+### pprof Profiling
+Controlled by `ENABLE_PPROF` env var. When enabled, exposes Go profiling endpoints on separate ports — zero overhead when off.
+
+### Test Coverage
+- Go backend: **92%+** coverage
+- **49 Playwright E2E tests**
+- Both tracks gate deploy in CI
+
+---
+
+## 📦 Upgrading
+
+```bash
+git pull
+./manage.sh stop
+./manage.sh setup
+```
+
+That's it. Your existing `config.json` and database work as-is. The rename is cosmetic — no schema changes, no API changes, no config changes.
+
+### Verify
+
+```bash
+curl -s http://localhost/api/health | grep engine
+# "engine": "go"
+```
+
+---
+
+## ⚠️ Breaking Changes
+
+**None.** All API endpoints, WebSocket messages, and config options are backwards-compatible. The rename affects branding only — Docker image names, page titles, and documentation.
+
+---
+
+## 🙏 Thank You
+
+- **efiten** — PR #222 performance fix (O(n) slice prepend elimination)
+- **jade-on-mesh**, **lincomatic**, **LitBomb**, **mibzzer15** — ongoing testing, feedback, and issue reports
+
+And to everyone running CoreScope on their mesh networks — your real-world data drives every fix and feature in this release. 48 commits since v3.0.0, and every one of them came from something the community found, reported, or requested.
+
+---
+
+*Previous release: [v3.0.0](RELEASE-v3.0.0.md)*

cmd/server/routes.go

@@ -33,6 +33,11 @@ type Server struct {
 	memStatsMu   sync.Mutex
 	memStatsCache runtime.MemStats
 	memStatsCachedAt time.Time
+
+	// Cached /api/stats response — recomputed at most once every 10s
+	statsMu      sync.Mutex
+	statsCache   *StatsResponse
+	statsCachedAt time.Time
 }
 
 // PerfStats tracks request performance.
@@ -380,6 +385,17 @@ func (s *Server) handleHealth(w http.ResponseWriter, r *http.Request) {
 }
 
 func (s *Server) handleStats(w http.ResponseWriter, r *http.Request) {
+	const statsTTL = 10 * time.Second
+
+	s.statsMu.Lock()
+	if s.statsCache != nil && time.Since(s.statsCachedAt) < statsTTL {
+		cached := s.statsCache
+		s.statsMu.Unlock()
+		writeJSON(w, cached)
+		return
+	}
+	s.statsMu.Unlock()
+
 	var stats *Stats
 	var err error
 	if s.store != nil {
@@ -392,7 +408,7 @@ func (s *Server) handleStats(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 	counts := s.db.GetRoleCounts()
-	writeJSON(w, StatsResponse{
+	resp := &StatsResponse{
 		TotalPackets:       stats.TotalPackets,
 		TotalTransmissions: &stats.TotalTransmissions,
 		TotalObservations:  stats.TotalObservations,
@@ -411,7 +427,14 @@ func (s *Server) handleStats(w http.ResponseWriter, r *http.Request) {
 			Companions: counts["companions"],
 			Sensors:    counts["sensors"],
 		},
-	})
+	}
+
+	s.statsMu.Lock()
+	s.statsCache = resp
+	s.statsCachedAt = time.Now()
+	s.statsMu.Unlock()
+
+	writeJSON(w, resp)
 }
 
 func (s *Server) handlePerf(w http.ResponseWriter, r *http.Request) {

cmd/server/store.go

@@ -98,6 +98,11 @@ type PacketStore struct {
 	// computed during Load() and incrementally updated on ingest.
 	distHops  []distHopRecord
 	distPaths []distPathRecord
+
+	// Cached GetNodeHashSizeInfo result — recomputed at most once every 15s
+	hashSizeInfoMu    sync.Mutex
+	hashSizeInfoCache map[string]*hashSizeNodeInfo
+	hashSizeInfoAt    time.Time
 }
 
 // Precomputed distance records for fast analytics aggregation.
@@ -3722,8 +3727,26 @@ type hashSizeNodeInfo struct {
 	Inconsistent bool
 }
 
-// GetNodeHashSizeInfo scans advert packets to compute per-node hash size data.
+// GetNodeHashSizeInfo returns cached per-node hash size data, recomputing at most every 15s.
 func (s *PacketStore) GetNodeHashSizeInfo() map[string]*hashSizeNodeInfo {
+	const ttl = 15 * time.Second
+	s.hashSizeInfoMu.Lock()
+	if s.hashSizeInfoCache != nil && time.Since(s.hashSizeInfoAt) < ttl {
+		cached := s.hashSizeInfoCache
+		s.hashSizeInfoMu.Unlock()
+		return cached
+	}
+	s.hashSizeInfoMu.Unlock()
+	result := s.computeNodeHashSizeInfo()
+	s.hashSizeInfoMu.Lock()
+	s.hashSizeInfoCache = result
+	s.hashSizeInfoAt = time.Now()
+	s.hashSizeInfoMu.Unlock()
+	return result
+}
+
+// computeNodeHashSizeInfo scans advert packets to compute per-node hash size data.
+func (s *PacketStore) computeNodeHashSizeInfo() map[string]*hashSizeNodeInfo {
 	s.mu.RLock()
 	defer s.mu.RUnlock()
 

decoder.js

@@ -2,8 +2,8 @@
  * MeshCore Packet Decoder
  * Custom implementation — does NOT use meshcore-decoder library (known path_length bug).
  *
- * Packet layout:
- *   [header(1)] [pathLength(1)] [transportCodes?] [path hops] [payload...]
+ * Packet layout (per firmware docs/packet_format.md):
+ *   [header(1)] [transportCodes?(4)] [pathLength(1)] [path hops] [payload...]
  *
  * Header byte (LSB first):
  *   bits 1-0: routeType (0=TRANSPORT_FLOOD, 1=FLOOD, 2=DIRECT, 3=TRANSPORT_DIRECT)
@@ -42,7 +42,7 @@ const PAYLOAD_TYPES = {
   0x0F: 'RAW_CUSTOM',
 };
 
-// Route types that carry transport codes (nextHop + lastHop, 2 bytes each)
+// Route types that carry transport codes (2x uint16_t, 4 bytes total)
 const TRANSPORT_ROUTES = new Set([0, 3]); // TRANSPORT_FLOOD, TRANSPORT_DIRECT
 
 // --- Header parsing ---
@@ -94,13 +94,11 @@ function decodeEncryptedPayload(buf) {
   };
 }
 
-/** ACK: dest(1) + src(1) + ack_hash(4) (per Mesh.cpp) */
+/** ACK: checksum(4) — CRC of message timestamp + text + sender pubkey (per Mesh.cpp createAck) */
 function decodeAck(buf) {
-  if (buf.length < 6) return { error: 'too short', raw: buf.toString('hex') };
+  if (buf.length < 4) return { error: 'too short', raw: buf.toString('hex') };
   return {
-    destHash: buf.subarray(0, 1).toString('hex'),
-    srcHash: buf.subarray(1, 2).toString('hex'),
-    extraHash: buf.subarray(2, 6).toString('hex'),
+    ackChecksum: buf.subarray(0, 4).toString('hex'),
   };
 }
 
@@ -125,6 +123,8 @@ function decodeAdvert(buf) {
       room: advType === 3,
       sensor: advType === 4,
       hasLocation: !!(flags & 0x10),
+      hasFeat1: !!(flags & 0x20),
+      hasFeat2: !!(flags & 0x40),
       hasName: !!(flags & 0x80),
     };
 
@@ -134,6 +134,14 @@ function decodeAdvert(buf) {
       result.lon = appdata.readInt32LE(off + 4) / 1e6;
       off += 8;
     }
+    if (result.flags.hasFeat1 && appdata.length >= off + 2) {
+      result.feat1 = appdata.readUInt16LE(off);
+      off += 2;
+    }
+    if (result.flags.hasFeat2 && appdata.length >= off + 2) {
+      result.feat2 = appdata.readUInt16LE(off);
+      off += 2;
+    }
     if (result.flags.hasName) {
       // Find null terminator to separate name from trailing telemetry bytes
       let nameEnd = appdata.length;
@@ -231,7 +239,7 @@ function decodeGrpTxt(buf, channelKeys) {
   return { type: 'GRP_TXT', channelHash, channelHashHex, decryptionStatus: 'no_key', mac, encryptedData };
 }
 
-/** ANON_REQ: dest(6) + ephemeral_pubkey(32) + MAC(4) + encrypted */
+/** ANON_REQ: dest(1) + ephemeral_pubkey(32) + MAC(2) + encrypted */
 function decodeAnonReq(buf) {
   if (buf.length < 35) return { error: 'too short', raw: buf.toString('hex') };
   return {
@@ -242,7 +250,7 @@ function decodeAnonReq(buf) {
   };
 }
 
-/** PATH: dest(6) + src(6) + MAC(4) + path_data */
+/** PATH: dest(1) + src(1) + MAC(2) + path_data */
 function decodePath_payload(buf) {
   if (buf.length < 4) return { error: 'too short', raw: buf.toString('hex') };
   return {
@@ -253,14 +261,14 @@ function decodePath_payload(buf) {
   };
 }
 
-/** TRACE: flags(1) + tag(4) + dest(6) + src(1) */
+/** TRACE: tag(4) + authCode(4) + flags(1) + pathData (per Mesh.cpp onRecvPacket TRACE) */
 function decodeTrace(buf) {
-  if (buf.length < 12) return { error: 'too short', raw: buf.toString('hex') };
+  if (buf.length < 9) return { error: 'too short', raw: buf.toString('hex') };
   return {
-    flags: buf[0],
-    tag: buf.readUInt32LE(1),
-    destHash: buf.subarray(5, 11).toString('hex'),
-    srcHash: buf.subarray(11, 12).toString('hex'),
+    tag: buf.readUInt32LE(0),
+    authCode: buf.subarray(4, 8).toString('hex'),
+    flags: buf[8],
+    pathData: buf.subarray(9).toString('hex'),
   };
 }
 
@@ -289,20 +297,22 @@ function decodePacket(hexString, channelKeys) {
   if (buf.length < 2) throw new Error('Packet too short (need at least header + pathLength)');
 
   const header = decodeHeader(buf[0]);
-  const pathByte = buf[1];
-  let offset = 2;
+  let offset = 1;
 
-  // Transport codes for TRANSPORT_FLOOD / TRANSPORT_DIRECT
+  // Transport codes for TRANSPORT_FLOOD / TRANSPORT_DIRECT — BEFORE path_length per spec
   let transportCodes = null;
   if (TRANSPORT_ROUTES.has(header.routeType)) {
     if (buf.length < offset + 4) throw new Error('Packet too short for transport codes');
     transportCodes = {
-      nextHop: buf.subarray(offset, offset + 2).toString('hex').toUpperCase(),
-      lastHop: buf.subarray(offset + 2, offset + 4).toString('hex').toUpperCase(),
+      code1: buf.subarray(offset, offset + 2).toString('hex').toUpperCase(),
+      code2: buf.subarray(offset + 2, offset + 4).toString('hex').toUpperCase(),
     };
     offset += 4;
   }
 
+  // Path length byte — AFTER transport codes per spec
+  const pathByte = buf[offset++];
+
   // Path
   const path = decodePath(pathByte, buf, offset);
   offset += path.bytesConsumed;
@@ -386,7 +396,7 @@ module.exports = { decodePacket, validateAdvert, hasNonPrintableChars, ROUTE_TYP
 
 // --- Tests ---
 if (require.main === module) {
-  console.log('=== Test 1: ADVERT, FLOOD, 5 hops (2-byte hashes), "Test Repeater" ===');
+  console.log('=== Test 1: ADVERT, FLOOD, 5 hops (2-byte hashes), "Kpa Roof Solar" ===');
   const pkt1 = decodePacket(
     '11451000D818206D3AAC152C8A91F89957E6D30CA51F36E28790228971C473B755F244F718754CF5EE4A2FD58D944466E42CDED140C66D0CC590183E32BAF40F112BE8F3F2BDF6012B4B2793C52F1D36F69EE054D9A05593286F78453E56C0EC4A3EB95DDA2A7543FCCC00B939CACC009278603902FC12BCF84B706120526F6F6620536F6C6172'
   );
@@ -402,7 +412,7 @@ if (require.main === module) {
   assert(pkt1.path.hops[0] === '1000', 'first hop should be 1000');
   assert(pkt1.path.hops[1] === 'D818', 'second hop should be D818');
   assert(pkt1.transportCodes === null, 'FLOOD has no transport codes');
-  assert(pkt1.payload.name === 'Test Repeater', 'name should be "Test Repeater"');
+  assert(pkt1.payload.name === 'Kpa Roof Solar', 'name should be "Kpa Roof Solar"');
   console.log('✅ Test 1 passed\n');
 
   console.log('=== Test 2: ADVERT, FLOOD, 0 hops (zero-path) ===');

docker-compose.yml

@@ -5,9 +5,12 @@
 
 services:
   prod:
+    build: .
     image: corescope:latest
     container_name: corescope-prod
     restart: unless-stopped
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
     ports:
       - "${PROD_HTTP_PORT:-80}:${PROD_HTTP_PORT:-80}"
       - "${PROD_HTTPS_PORT:-443}:${PROD_HTTPS_PORT:-443}"
@@ -26,9 +29,12 @@ services:
       retries: 3
 
   staging:
+    build: .
     image: corescope:latest
     container_name: corescope-staging
     restart: unless-stopped
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
     ports:
       - "${STAGING_HTTP_PORT:-81}:${STAGING_HTTP_PORT:-81}"
       - "${STAGING_MQTT_PORT:-1884}:1883"
@@ -57,6 +63,8 @@ services:
     image: corescope-go:latest
     container_name: corescope-staging-go
     restart: unless-stopped
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
     ports:
       - "${STAGING_GO_HTTP_PORT:-82}:80"
       - "${STAGING_GO_MQTT_PORT:-1885}:1883"

docs/rename-migration.md

@@ -0,0 +1,101 @@
+# CoreScope Migration Guide
+
+MeshCore Analyzer has been renamed to **CoreScope**. This document covers what you need to update.
+
+## What Changed
+
+- **Repository name**: `meshcore-analyzer` → `corescope`
+- **Docker image name**: `meshcore-analyzer:latest` → `corescope:latest`
+- **Docker container prefixes**: `meshcore-*` → `corescope-*`
+- **Default site name**: "MeshCore Analyzer" → "CoreScope"
+
+## What Did NOT Change
+
+- **Data directories** — `~/meshcore-data/` stays as-is
+- **Database filename** — `meshcore.db` is unchanged
+- **MQTT topics** — `meshcore/#` topics are protocol-level and unchanged
+- **Browser state** — Favorites, localStorage keys, and settings are preserved
+- **Config file format** — `config.json` structure is the same
+
+---
+
+## 1. Git Remote Update
+
+Update your local clone to point to the new repository URL:
+
+```bash
+git remote set-url origin https://github.com/Kpa-clawbot/corescope.git
+git pull
+```
+
+## 2. Docker (manage.sh) Users
+
+Rebuild with the new image name:
+
+```bash
+./manage.sh stop
+git pull
+./manage.sh setup
+```
+
+The new image is `corescope:latest`. You can clean up the old image:
+
+```bash
+docker rmi meshcore-analyzer:latest
+```
+
+## 3. Docker Compose Users
+
+Rebuild containers with the new names:
+
+```bash
+docker compose down
+git pull
+docker compose build
+docker compose up -d
+```
+
+Container names change from `meshcore-*` to `corescope-*`. Old containers are removed by `docker compose down`.
+
+## 4. Data Directories
+
+**No action required.** The data directory `~/meshcore-data/` and database file `meshcore.db` are unchanged. Your existing data carries over automatically.
+
+## 5. Config
+
+If you customized `branding.siteName` in your `config.json`, update it to your preferred name. Otherwise the new default "CoreScope" applies automatically.
+
+No other config keys changed.
+
+## 6. MQTT
+
+**No action required.** MQTT topics (`meshcore/#`) are protocol-level and are not affected by the rename.
+
+## 7. Browser
+
+**No action required.** Bookmarks/favorites will continue to work at the same host and port. localStorage keys are unchanged, so your settings and preferences are preserved.
+
+## 8. CI/CD
+
+If you have custom CI/CD pipelines that reference:
+
+- The old repository URL (`meshcore-analyzer`)
+- The old Docker image name (`meshcore-analyzer:latest`)
+- Old container names (`meshcore-*`)
+
+Update those references to use the new names.
+
+---
+
+## Summary Checklist
+
+| Item | Action Required? | What to Do |
+|------|-----------------|------------|
+| Git remote | ✅ Yes | `git remote set-url origin …corescope.git` |
+| Docker image | ✅ Yes | Rebuild; optionally `docker rmi` old image |
+| Docker Compose | ✅ Yes | `docker compose down && build && up` |
+| Data directories | ❌ No | Unchanged |
+| Config | ⚠️ Maybe | Only if you customized `branding.siteName` |
+| MQTT | ❌ No | Topics unchanged |
+| Browser | ❌ No | Settings preserved |
+| CI/CD | ⚠️ Maybe | Update if referencing old repo/image names |

public/packets.js

@@ -1512,14 +1512,12 @@
       rows += fieldRow(off + 1, 'Sender', decoded.sender || '—', '');
       if (decoded.sender_timestamp) rows += fieldRow(off + 2, 'Sender Time', decoded.sender_timestamp, '');
     } else if (decoded.type === 'ACK') {
-      rows += fieldRow(off, 'Dest Hash (6B)', decoded.destHash || '', '');
-      rows += fieldRow(off + 6, 'Src Hash (6B)', decoded.srcHash || '', '');
-      rows += fieldRow(off + 12, 'Extra (6B)', decoded.extraHash || '', '');
+      rows += fieldRow(off, 'Checksum (4B)', decoded.ackChecksum || '', '');
     } else if (decoded.destHash !== undefined) {
-      rows += fieldRow(off, 'Dest Hash (6B)', decoded.destHash || '', '');
-      rows += fieldRow(off + 6, 'Src Hash (6B)', decoded.srcHash || '', '');
-      rows += fieldRow(off + 12, 'MAC (4B)', decoded.mac || '', '');
-      rows += fieldRow(off + 16, 'Encrypted Data', truncate(decoded.encryptedData || '', 30), '');
+      rows += fieldRow(off, 'Dest Hash (1B)', decoded.destHash || '', '');
+      rows += fieldRow(off + 1, 'Src Hash (1B)', decoded.srcHash || '', '');
+      rows += fieldRow(off + 2, 'MAC (2B)', decoded.mac || '', '');
+      rows += fieldRow(off + 4, 'Encrypted Data', truncate(decoded.encryptedData || '', 30), '');
     } else {
       rows += fieldRow(off, 'Raw', truncate(buf.slice(off * 2), 40), '');
     }

test-decoder-spec.js

@@ -122,13 +122,14 @@ console.log('── Spec Tests: Transport Codes ──');
 
 {
   // Route type 0 (TRANSPORT_FLOOD) and 3 (TRANSPORT_DIRECT) should have 4-byte transport codes
-  // Route type 0: header byte = 0bPPPPPP00, e.g. 0x14 = payloadType 5 (GRP_TXT), routeType 0
-  const hex = '1400' + 'AABB' + 'CCDD' + '1A' + '00'.repeat(10); // transport codes + GRP_TXT payload
+  // Route type 0: header=0x14 = payloadType 5 (GRP_TXT), routeType 0 (TRANSPORT_FLOOD)
+  // Format: header(1) + transportCodes(4) + pathByte(1) + payload
+  const hex = '14' + 'AABB' + 'CCDD' + '00' + '1A' + '00'.repeat(10); // transport codes + pathByte + GRP_TXT payload
   const p = decodePacket(hex);
   assertEq(p.header.routeType, 0, 'transport: routeType=0 (TRANSPORT_FLOOD)');
   assert(p.transportCodes !== null, 'transport: transportCodes present for TRANSPORT_FLOOD');
-  assertEq(p.transportCodes.nextHop, 'AABB', 'transport: nextHop');
-  assertEq(p.transportCodes.lastHop, 'CCDD', 'transport: lastHop');
+  assertEq(p.transportCodes.code1, 'AABB', 'transport: code1');
+  assertEq(p.transportCodes.code2, 'CCDD', 'transport: code2');
 }
 
 {
@@ -257,13 +258,13 @@ console.log('── Spec Tests: Advert Payload ──');
 
 console.log('── Spec Tests: Encrypted Payload Format ──');
 
-// NOTE: Spec says v1 encrypted payloads have dest(1) + src(1) + MAC(2) + ciphertext
-// But decoder reads dest(6) + src(6) + MAC(4) + ciphertext
-// This is a known discrepancy — the decoder matches production behavior, not the spec.
-// The spec may describe the firmware's internal addressing while the OTA format differs,
-// or the decoder may be parsing the fields differently. Production data validates the decoder.
+// Spec says v1 encrypted payloads: dest(1)+src(1)+MAC(2)+cipher — decoder matches this.
 {
-  note('Spec says v1 encrypted payloads: dest(1)+src(1)+MAC(2)+cipher, but decoder reads dest(6)+src(6)+MAC(4)+cipher — decoder matches prod data');
+  const hex = '0100' + 'AA' + 'BB' + 'CCDD' + '00'.repeat(10);
+  const p = decodePacket(hex);
+  assertEq(p.payload.destHash, 'aa', 'encrypted payload: dest is 1 byte');
+  assertEq(p.payload.srcHash, 'bb', 'encrypted payload: src is 1 byte');
+  assertEq(p.payload.mac, 'ccdd', 'encrypted payload: MAC is 2 bytes');
 }
 
 console.log('── Spec Tests: validateAdvert ──');

test-decoder.js

@@ -28,22 +28,22 @@ test('FLOOD + ADVERT = 0x11', () => {
 });
 
 test('TRANSPORT_FLOOD = routeType 0', () => {
-  // 0x00 = TRANSPORT_FLOOD + REQ(0), needs transport codes + 16 byte payload
-  const hex = '0000' + 'AABB' + 'CCDD' + '00'.repeat(16);
+  // header=0x00 (TRANSPORT_FLOOD + REQ), transportCodes=AABB+CCDD, pathByte=0x00, payload
+  const hex = '00' + 'AABB' + 'CCDD' + '00' + '00'.repeat(16);
   const p = decodePacket(hex);
   assert.strictEqual(p.header.routeType, 0);
   assert.strictEqual(p.header.routeTypeName, 'TRANSPORT_FLOOD');
   assert.notStrictEqual(p.transportCodes, null);
-  assert.strictEqual(p.transportCodes.nextHop, 'AABB');
-  assert.strictEqual(p.transportCodes.lastHop, 'CCDD');
+  assert.strictEqual(p.transportCodes.code1, 'AABB');
+  assert.strictEqual(p.transportCodes.code2, 'CCDD');
 });
 
 test('TRANSPORT_DIRECT = routeType 3', () => {
-  const hex = '0300' + '1122' + '3344' + '00'.repeat(16);
+  const hex = '03' + '1122' + '3344' + '00' + '00'.repeat(16);
   const p = decodePacket(hex);
   assert.strictEqual(p.header.routeType, 3);
   assert.strictEqual(p.header.routeTypeName, 'TRANSPORT_DIRECT');
-  assert.strictEqual(p.transportCodes.nextHop, '1122');
+  assert.strictEqual(p.transportCodes.code1, '1122');
 });
 
 test('DIRECT = routeType 2, no transport codes', () => {
@@ -358,9 +358,7 @@ test('ACK decode', () => {
   const hex = '0D00' + '00'.repeat(18);
   const p = decodePacket(hex);
   assert.strictEqual(p.payload.type, 'ACK');
-  assert(p.payload.destHash);
-  assert(p.payload.srcHash);
-  assert(p.payload.extraHash);
+  assert(p.payload.ackChecksum);
 });
 
 test('ACK too short', () => {
@@ -424,9 +422,9 @@ test('TRACE decode', () => {
   const hex = '2500' + '00'.repeat(12);
   const p = decodePacket(hex);
   assert.strictEqual(p.payload.type, 'TRACE');
-  assert.strictEqual(p.payload.flags, 0);
   assert(p.payload.tag !== undefined);
-  assert(p.payload.destHash);
+  assert(p.payload.authCode !== undefined);
+  assert.strictEqual(p.payload.flags, 0);
 });
 
 test('TRACE too short', () => {
@@ -460,16 +458,18 @@ test('Transport route too short throws', () => {
   assert.throws(() => decodePacket('0000'), /too short for transport/);
 });
 
-test('Corrupt packet #183 — path overflow capped to buffer', () => {
+test('Corrupt packet #183 — TRANSPORT_DIRECT with correct field order', () => {
   const hex = 'BBAD6797EC8751D500BF95A1A776EF580E665BCBF6A0BBE03B5E730707C53489B8C728FD3FB902397197E1263CEC21E52465362243685DBBAD6797EC8751C90A75D9FD8213155D';
   const p = decodePacket(hex);
   assert.strictEqual(p.header.routeType, 3, 'routeType should be TRANSPORT_DIRECT');
   assert.strictEqual(p.header.payloadTypeName, 'UNKNOWN');
-  // pathByte 0xAD claims 45 hops × 3 bytes = 135, but only 65 bytes available
+  // transport codes are bytes 1-4, pathByte=0x87 at byte 5
+  assert.strictEqual(p.transportCodes.code1, 'AD67');
+  assert.strictEqual(p.transportCodes.code2, '97EC');
+  // pathByte 0x87: hashSize=3, hashCount=7
   assert.strictEqual(p.path.hashSize, 3);
-  assert.strictEqual(p.path.hashCount, 21, 'hashCount capped to fit buffer');
-  assert.strictEqual(p.path.hops.length, 21);
-  assert.strictEqual(p.path.truncated, true);
+  assert.strictEqual(p.path.hashCount, 7);
+  assert.strictEqual(p.path.hops.length, 7);
   // No empty strings in hops
   assert(p.path.hops.every(h => h.length > 0), 'no empty hops');
 });