access-controller: add manual unlock button and last-swipe row

Adds a POST /unlock endpoint plus an 'Unlock door' button on the status
page so an operator on the LAN can pulse the door without presenting a
card. Manual unlocks signal access_task (which owns the door + reader),
log an audit event with a sentinel fob id (0), and bypass authorization
entirely. The button is disabled and the endpoint returns 403 while in
onboarding mode.

Also surfaces the most recent door event in a new 'Last swipe' status
row (fob id, Granted/Denied with the existing ok/err styling, age, and
a '(manual)' marker for HTTP-initiated unlocks). State lives in a new
LAST_SWIPE mutex written by access_task; AccessCore is untouched so the
existing simulation tests still hold.

Author: jveski

access-controller/src/http.rs

@@ -19,7 +19,9 @@ use heapless::String as HString;
 
 use crate::ota::{self, OtaError, OtaWriter};
 use crate::settings::{self, Settings, MAX_PASSWORD, MAX_SSID};
-use crate::{DeviceMode, RuntimeConfig, EVENT_BUFFER, MAX_FOBS, WATCHDOG_FEED};
+use crate::{
+    DeviceMode, LastSwipe, RuntimeConfig, EVENT_BUFFER, MANUAL_UNLOCK, MAX_FOBS, WATCHDOG_FEED,
+};
 
 const HTTP_PORT: u16 = 80;
 /// Timeout for normal short requests.
@@ -45,6 +47,7 @@ pub async fn http_server_task(
     stack: &'static Stack<'static>,
     fobs: &'static Mutex<CriticalSectionRawMutex, heapless::Vec<u32, MAX_FOBS>>,
     etag: &'static Mutex<CriticalSectionRawMutex, HString<64>>,
+    last_swipe: &'static Mutex<CriticalSectionRawMutex, Option<LastSwipe>>,
     rt: &'static RuntimeConfig,
 ) {
     // Wait for the network stack to be ready before binding.
@@ -76,7 +79,7 @@ pub async fn http_server_task(
         let peer = socket.remote_endpoint();
         log::info!("http: connection from {:?}", peer);
 
-        handle_connection(&mut socket, fobs, etag, stack, rt).await;
+        handle_connection(&mut socket, fobs, etag, last_swipe, stack, rt).await;
 
         let _ = socket.flush().await;
         socket.close();
@@ -87,6 +90,7 @@ async fn handle_connection(
     socket: &mut TcpSocket<'_>,
     fobs: &Mutex<CriticalSectionRawMutex, heapless::Vec<u32, MAX_FOBS>>,
     etag: &Mutex<CriticalSectionRawMutex, HString<64>>,
+    last_swipe: &Mutex<CriticalSectionRawMutex, Option<LastSwipe>>,
     stack: &Stack<'static>,
     rt: &'static RuntimeConfig,
 ) {
@@ -145,7 +149,7 @@ async fn handle_connection(
             send_redirect(socket, "/config").await;
         }
         ("GET", "/") | ("GET", "/status") => {
-            send_status_page(socket, fobs, etag, stack, rt).await;
+            send_status_page(socket, fobs, etag, last_swipe, stack, rt).await;
         }
         ("GET", "/config") => {
             send_config_page(socket, rt).await;
@@ -188,6 +192,9 @@ async fn handle_connection(
         ("POST", "/ota/rollback") => {
             handle_ota_rollback(socket).await;
         }
+        ("POST", "/unlock") => {
+            handle_manual_unlock(socket, rt).await;
+        }
         ("GET", _) if rt.mode == DeviceMode::Onboarding => {
             // Any unknown GET while onboarding: bounce to /config so
             // OS captive-portal heuristics fire.
@@ -328,6 +335,26 @@ async fn send_ota_error(socket: &mut TcpSocket<'_>, err: OtaError) {
     send_text(socket, err.http_status(), body.as_bytes()).await;
 }
 
+/// Operator-initiated door pulse. Forbidden while onboarding (the
+/// device isn't yet trusted to be on a private LAN). Otherwise the
+/// access_task observes `MANUAL_UNLOCK`, fires `DOOR_SIGNAL` +
+/// `READER_FEEDBACK::Granted`, and records an audit entry with the
+/// `MANUAL_UNLOCK_FOB` sentinel.
+async fn handle_manual_unlock(socket: &mut TcpSocket<'_>, rt: &'static RuntimeConfig) {
+    if rt.mode == DeviceMode::Onboarding {
+        send_status_line(
+            socket,
+            "403 Forbidden",
+            b"manual unlock is disabled during onboarding\n",
+        )
+        .await;
+        return;
+    }
+    log::warn!("http: manual unlock requested by {:?}", socket.remote_endpoint());
+    MANUAL_UNLOCK.signal(());
+    send_text(socket, "200 OK", b"ok: door pulsed\n").await;
+}
+
 /// Case-insensitive scan for `Content-Length: <decimal>` in the header block.
 fn parse_content_length(headers: &str) -> Option<u32> {
     for line in headers.lines() {
@@ -367,17 +394,20 @@ async fn send_status_page(
     socket: &mut TcpSocket<'_>,
     fobs: &Mutex<CriticalSectionRawMutex, heapless::Vec<u32, MAX_FOBS>>,
     etag: &Mutex<CriticalSectionRawMutex, HString<64>>,
+    last_swipe: &Mutex<CriticalSectionRawMutex, Option<LastSwipe>>,
     stack: &Stack<'static>,
     rt: &'static RuntimeConfig,
 ) {
     // Gather state.
-    let uptime_secs = Instant::now().as_millis() / 1000;
+    let uptime_ms = Instant::now().as_millis();
+    let uptime_secs = uptime_ms / 1000;
     let fob_count = fobs.lock().await.len();
     let pending_events = EVENT_BUFFER.len().await;
     let current_etag = {
         let g = etag.lock().await;
         g.clone()
     };
+    let last_swipe_snap: Option<LastSwipe> = *last_swipe.lock().await;
 
     // Snapshot live settings so the page reflects current creds and
     // Conway URL even after a /config save (which reboots, but better
@@ -444,8 +474,57 @@ async fn send_status_page(
         ""
     };
 
-    // Build body. 4 KiB is plenty for this page including the upload form.
-    let mut body: HString<4096> = HString::new();
+    // Format the last-swipe row, e.g.
+    //   "fob 1234567 <span class=ok>Granted</span> &middot; 12s ago (manual)"
+    // or "(none)" if no swipe has been recorded since boot.
+    let mut last_swipe_html: HString<192> = HString::new();
+    match last_swipe_snap {
+        None => {
+            let _ = last_swipe_html.push_str("(none)");
+        }
+        Some(ls) => {
+            let age_ms = uptime_ms.saturating_sub(ls.at_uptime_ms);
+            let age_secs = age_ms / 1000;
+            let (status_class, status_text) = if ls.allowed {
+                ("ok", "Granted")
+            } else {
+                ("err", "Denied")
+            };
+            let label = if ls.manual { " (manual)" } else { "" };
+            if age_secs < 60 {
+                let _ = write!(
+                    last_swipe_html,
+                    "fob {} &middot; <span class=\"{}\">{}</span> &middot; {}s ago{}",
+                    ls.fob, status_class, status_text, age_secs, label
+                );
+            } else {
+                let _ = write!(
+                    last_swipe_html,
+                    "fob {} &middot; <span class=\"{}\">{}</span> &middot; {}m {}s ago{}",
+                    ls.fob,
+                    status_class,
+                    status_text,
+                    age_secs / 60,
+                    age_secs % 60,
+                    label
+                );
+            }
+        }
+    }
+
+    // Manual-unlock button is hidden in onboarding mode (POST /unlock
+    // returns 403 there anyway).
+    let unlock_section: &str = if is_onboarding {
+        ""
+    } else {
+        "<h2>Door</h2>\
+         <p><button id=\"unlockbtn\">Unlock door</button> \
+         <span id=\"unlockstatus\"></span></p>"
+    };
+
+    // Build body. 5 KiB is plenty for this page including the upload
+    // form, last-swipe row, and unlock button.
+    let mut body: HString<5120> = HString::new();
     let _ = write!(
         body,
         "<!doctype html>\
@@ -465,9 +544,11 @@ th{{background:#f3f3f3}}progress{{width:100%}}\
 <tr><th>Conway server</th><td>{chost}:{cport}</td></tr>\
 <tr><th>Cached fobs</th><td>{fobs}</td></tr>\
 <tr><th>Pending events</th><td>{events}</td></tr>\
+<tr><th>Last swipe</th><td>{last_swipe}</td></tr>\
 <tr><th>Sync ETag</th><td>{etag}</td></tr>\
 <tr><th>OTA slot</th><td>{ota}</td></tr>\
 </table>\
+{unlock_section}\
 <h2>Firmware update</h2>\
 <p>Max image size: {maxk} KiB. The device will reboot into the new \
 image on success.</p>\
@@ -481,7 +562,9 @@ image on success.</p>\
 <script>\
 const f=document.getElementById('otaform'),fi=document.getElementById('otafile'),\
 p=document.getElementById('otaprog'),s=document.getElementById('otastatus'),\
-rb=document.getElementById('rollbackbtn');\
+rb=document.getElementById('rollbackbtn'),\
+ub=document.getElementById('unlockbtn'),\
+us=document.getElementById('unlockstatus');\
 f.addEventListener('submit',e=>{{e.preventDefault();const file=fi.files[0];if(!file)return;\
 s.textContent='Uploading '+file.size+' bytes...';s.className='';\
 const x=new XMLHttpRequest();x.open('POST','/ota');\
@@ -494,6 +577,12 @@ x.send(file);}});\
 rb.addEventListener('click',()=>{{if(!confirm('Roll back and reboot?'))return;\
 fetch('/ota/rollback',{{method:'POST'}}).then(r=>r.text()).then(t=>{{s.textContent=t;}})\
 .catch(e=>{{s.textContent='rollback failed';s.className='err';}});}});\
+if(ub){{ub.addEventListener('click',()=>{{if(!confirm('Unlock the door now?'))return;\
+us.textContent='unlocking...';us.className='';\
+fetch('/unlock',{{method:'POST'}}).then(r=>r.text().then(t=>{{\
+us.textContent=t.trim();us.className=r.ok?'ok':'err';\
+if(r.ok)setTimeout(()=>location.reload(),800);}}))\
+.catch(e=>{{us.textContent='unlock failed';us.className='err';}});}});}}\
 </script>\
 </body></html>",
         firmware = firmware,
@@ -505,13 +594,15 @@ fetch('/ota/rollback',{{method:'POST'}}).then(r=>r.text()).then(t=>{{s.textConte
         cport = conway_port,
         fobs = fob_count,
         events = pending_events,
+        last_swipe = last_swipe_html.as_str(),
         etag = if current_etag.is_empty() {
             "(none)"
         } else {
             current_etag.as_str()
         },
         ota = ota_str.as_str(),
         maxk = next_slot_size / 1024,
+        unlock_section = unlock_section,
     );
 
     let mut header: HString<160> = HString::new();

access-controller/src/main.rs

@@ -87,6 +87,23 @@ pub static SYNC_COMPLETE: Signal<CriticalSectionRawMutex, ()> = Signal::new();
 // Signal for door unlock (after successful auth)
 pub static DOOR_SIGNAL: Signal<CriticalSectionRawMutex, ()> = Signal::new();
 
+// Signal raised by `POST /unlock` to request a manual door pulse.
+pub static MANUAL_UNLOCK: Signal<CriticalSectionRawMutex, ()> = Signal::new();
+
+/// Sentinel `fob` value used when recording a manual-unlock event so the
+/// Conway audit trail can distinguish it from a real card swipe.
+pub const MANUAL_UNLOCK_FOB: u32 = 0;
+
+/// Most recent door event (swipe or manual unlock). Rendered on the
+/// HTTP status page; not persisted across reboots.
+#[derive(Debug, Clone, Copy)]
+pub struct LastSwipe {
+    pub fob: u32,
+    pub allowed: bool,
+    pub at_uptime_ms: u64,
+    pub manual: bool,
+}
+
 /// Reader-side user feedback to play after an access decision.
 #[derive(Debug, Clone, Copy)]
 pub enum AccessOutcome {
@@ -104,6 +121,8 @@ pub static WATCHDOG_FEED: Signal<CriticalSectionRawMutex, ()> = Signal::new();
 static FOBS: StaticCell<Mutex<CriticalSectionRawMutex, heapless::Vec<u32, MAX_FOBS>>> =
     StaticCell::new();
 static ETAG: StaticCell<Mutex<CriticalSectionRawMutex, HString<64>>> = StaticCell::new();
+static LAST_SWIPE: StaticCell<Mutex<CriticalSectionRawMutex, Option<LastSwipe>>> =
+    StaticCell::new();
 static STACK_RESOURCES: StaticCell<StackResources<8>> = StaticCell::new();
 static STACK: StaticCell<Stack<'static>> = StaticCell::new();
 
@@ -173,6 +192,7 @@ async fn main(spawner: embassy_executor::Spawner) {
     // Initialize shared state (fobs and etag start empty, populated by sync)
     let fobs = FOBS.init(Mutex::new(heapless::Vec::new()));
     let etag = ETAG.init(Mutex::new(HString::new()));
+    let last_swipe = LAST_SWIPE.init(Mutex::new(None));
 
     log::info!("storage: fob cache initialized (empty, will sync from server)");
 
@@ -284,7 +304,7 @@ async fn main(spawner: embassy_executor::Spawner) {
     spawner.spawn(net_task(runner)).unwrap();
     spawner.spawn(wifi_task(wifi_controller, rt_config)).unwrap();
     spawner.spawn(wiegand_task(wiegand)).unwrap();
-    spawner.spawn(access_task(fobs, wdt)).unwrap();
+    spawner.spawn(access_task(fobs, last_swipe, wdt)).unwrap();
     spawner.spawn(door_task(door)).unwrap();
     spawner
         .spawn(reader_feedback_task(reader_led, reader_beep))
@@ -297,7 +317,7 @@ async fn main(spawner: embassy_executor::Spawner) {
         spawner.spawn(sync_task(stack, fobs, etag, rt_config)).unwrap();
     }
     spawner
-        .spawn(http::http_server_task(stack, fobs, etag, rt_config))
+        .spawn(http::http_server_task(stack, fobs, etag, last_swipe, rt_config))
         .unwrap();
     spawner.spawn(watchdog_feed_task()).unwrap();
 
@@ -425,29 +445,55 @@ async fn wiegand_task(mut wiegand: Wiegand<'static>) {
 #[embassy_executor::task]
 async fn access_task(
     fobs: &'static Mutex<CriticalSectionRawMutex, heapless::Vec<u32, MAX_FOBS>>,
+    last_swipe: &'static Mutex<CriticalSectionRawMutex, Option<LastSwipe>>,
     wdt: &'static Mutex<CriticalSectionRawMutex, WdtType>,
 ) {
     let mut core = AccessCore::new();
 
     loop {
-        // Use select3 to handle card reads, sync completion, AND watchdog feed requests.
-        // This ensures we can service all events without blocking.
-        let event = embassy_futures::select::select3(
+        // Select across all firmware-level inputs: card reads, sync
+        // completion, watchdog feed ticks, and operator-initiated
+        // manual unlocks from the HTTP server.
+        let event = embassy_futures::select::select4(
             WIEGAND_CHANNEL.receive(),
             SYNC_COMPLETE.wait(),
             WATCHDOG_FEED.wait(),
+            MANUAL_UNLOCK.wait(),
         )
         .await;
 
         let now = embassy_time::Instant::now().as_millis();
 
+        // Manual unlock is handled entirely in the firmware adapter -
+        // it doesn't run through AccessCore because there's no
+        // authorization decision to make.
+        if let embassy_futures::select::Either4::Fourth(()) = event {
+            log::warn!("access MANUAL UNLOCK via HTTP");
+            DOOR_SIGNAL.signal(());
+            READER_FEEDBACK.signal(AccessOutcome::Granted);
+            EVENT_BUFFER
+                .push(AccessEvent {
+                    fob: MANUAL_UNLOCK_FOB,
+                    allowed: true,
+                })
+                .await;
+            *last_swipe.lock().await = Some(LastSwipe {
+                fob: MANUAL_UNLOCK_FOB,
+                allowed: true,
+                at_uptime_ms: now,
+                manual: true,
+            });
+            continue;
+        }
+
         let input = match event {
-            embassy_futures::select::Either3::First(read) => CoreInput::Card(CardRead {
+            embassy_futures::select::Either4::First(read) => CoreInput::Card(CardRead {
                 fob: read.to_fob(),
                 nfc: read.to_nfc_uid(),
             }),
-            embassy_futures::select::Either3::Second(()) => CoreInput::SyncComplete,
-            embassy_futures::select::Either3::Third(()) => CoreInput::WatchdogFeed,
+            embassy_futures::select::Either4::Second(()) => CoreInput::SyncComplete,
+            embassy_futures::select::Either4::Third(()) => CoreInput::WatchdogFeed,
+            embassy_futures::select::Either4::Fourth(()) => unreachable!(),
         };
 
         // Snapshot the cache once and pass it as a slice; mirrors the
@@ -477,6 +523,13 @@ async fn access_task(
                             allowed: ev.allowed,
                         })
                         .await;
+                    // Mirror the record into the UI's last-swipe slot.
+                    *last_swipe.lock().await = Some(LastSwipe {
+                        fob: ev.fob,
+                        allowed: ev.allowed,
+                        at_uptime_ms: now,
+                        manual: false,
+                    });
                 }
                 Effect::RequestSync => {
                     SYNC_SIGNAL.signal(());