Update Proto Rig API

[rongxin-liu]

Summary

• Update the vendored Proto Rig API snapshot from miner-firmware commit 23df12824401403ec909dd9053e8d002f4c3d1e3.
• Add the new hashboard test proto and regenerate ProtoOS OpenAPI TypeScript types.
• Align fake-proto-rig, ProtoOS, and the Proto plugin with the updated locate LED and public hardware discovery API behavior.

Details

• POST /api/v1/system/locate now supports the new enable query parameter and updated led_on_time defaults.
• fake-proto-rig now models timed locate behavior: positive led_on_time auto-clears, while 0 or negative durations persist until enable=false.
• fake-proto-rig guards timed locate cleanup so an older timer cannot clear a newer persistent locate request.
• public hardware discovery endpoints are reflected in the simulator and docs: /hardware, /hardware/psus, /hashboards, and /power-supplies.
• ProtoOS useHardware now calls public GET /hardware directly instead of using auth retry.
• The Proto plugin keeps existing BlinkLED behavior bounded by explicitly sending led_on_time=30, because the firmware default is now persistent.

Impact

• ProtoOS generated API types include the new locate query shape and remove security handling from public hardware discovery methods.
• Pre-auth/onboarding hardware discovery is closer to the firmware contract.
• Existing Fleet and plugin blink workflows remain bounded and backward-compatible while the richer persistent locate behavior is available at the lower API layer.

Validation

• GOWORK=off go test . in server/fake-proto-rig
• go test ./pkg/proto in plugin/proto
• ./node_modules/.bin/vitest run src/protoOS/api/hooks/useHardware.test.ts src/protoOS/api/hooks/useLocateSystem.test.ts src/protoOS/components/PageHeader/GlobalActions/GlobalActionsWidgetWrapper.test.tsx
• Targeted ESLint for touched ProtoOS files
• Pre-commit hooks
• Pre-push hooks

[github-actions]

🔐 Codex Security Review

Note: This is an automated security-focused code review generated by Codex.
It should be used as a supplementary check alongside human review.
False positives are possible - use your judgment.

Scope summary

• Reviewed pull request diff only (75933fce45c269e41e0ba2b30cd33825b0389fa7...a7666fa135d779ad11dd4021a1c8fb8eacdffc31, exact PR three-dot diff)
• Model: gpt-5.5

💡 Click "edited" above to see previous reviews for this PR.

---

Review Summary

Overall Risk: LOW

Findings

[LOW] Public hardware routes bypass simulated reboot downtime

• Category: Reliability
• Location: server/fake-proto-rig/rest_api_handler.go:618
• Description: The PR makes hardware discovery endpoints public by registering handlers directly. Previously, the auth wrapper also enforced the fake rig’s reboot/offline behavior. These routes now keep serving data while h.state.Rebooting is true.
• Impact: Simulator clients can observe impossible state: reboot-gated endpoints appear offline, while hardware/PSU discovery still succeeds. This can hide reconnect/offline handling bugs in tests.
• Recommendation: Extract the reboot availability check into separate middleware and wrap both public and protected routes with it.

[LOW] Locate requests can create unbounded sleeper goroutines

• Category: Reliability | Concurrency
• Location: server/fake-proto-rig/rest_api_handler.go:1508
• Description: Each positive led_on_time spawns a goroutine that sleeps for the caller-provided duration. There is no upper bound, and very large values can either park goroutines for years or overflow time.Duration.
• Impact: Repeated authenticated locate calls can accumulate sleeping goroutines and memory pressure in the simulator; overflow can also clear locate mode earlier than requested.
• Recommendation: Validate and cap led_on_time before converting to time.Duration, and prefer a single cancellable timer per fake rig state.

Notes

No changed SQL, migrations, production RPC handlers, Nmap/shell execution, Docker config, Rust/Python plugin code, or pool/wallet rewrite logic appeared in .git/codex-review.diff.

The hardware discovery auth relaxation appears intentional across OpenAPI, generated client, docs, tests, and simulator. The finding above is about losing the shared reboot gate, not the public read-only contract itself.

---

_{Generated by Codex Security Review |
Triggered by: @rongxin-liu |
Review workflow run}