CPS ESP32-S3 Bench Node (WiFi)

Brings up a bare WeAct ESP32-S3 devkit as a WiFi CPS node that publishes telemetry and status into the existing MQTT ingest path. See ADR 048 for the design and the honest TLS posture.

Hardware

WeAct ESP32-S3 devkit, connected by USB (USB-Serial-JTAG for flash + logs).
No external sensors. Telemetry is a bounded synthetic temperature ramp until an AHT21B or the internal temperature sensor is wired.

Toolchain (one time)

The ESP32-S3 is Xtensa and needs the Espressif Rust toolchain:

cargo install espup --version 0.16.0 --locked   # or newer with rustc >= 1.88
espup install
. ~/export-esp.sh          # exports LIBCLANG_PATH + the xtensa-esp-elf toolchain
cargo install espflash     # if not already present

Build-time configuration

The firmware reads connection settings from environment variables at compile time:

export DEVICE_ID="esp32s3-bench-01"
export WIFI_SSID="your-wifi"
export WIFI_PASSWORD="your-wifi-password"
export MQTT_BROKER_HOST="10.0.0.10"   # IP or DNS name reachable from the board
export MQTT_USERNAME="esp32s3-bench-01"
export MQTT_PASSWORD="your-device-password"

Flash and observe

From firmware/embassy-esp/projects/esp32s3_bench_node:

. ~/export-esp.sh
cargo +esp run --release      # espflash flashes over USB and opens the monitor

The monitor shows WiFi association, the MQTT connect, and a line per publish. The node publishes status every 30 s and temperature_c telemetry every 10 s on aurora/sensors/<DEVICE_ID>/..., which the backend MQTTEdgeConsumer ingests unchanged. A CPS device then appears in the console CPS overview.

Security posture (read this)

Certificate-verified TLS is not yet available on the device: the no_std TLS crate (embedded-tls) cannot verify a server certificate on embedded targets, and the robust esp-mbedtls is a heavier follow-up (ADR 048). Until device TLS lands:

Run the bench on a trusted or isolated network. The device authenticates with an MQTT username/password but the link is not yet encrypted.
The broker already has a real mutual-TLS listener on 8883 for the backend. Mint the PKI with:
```
cd infra/certs && BROKER_CN=mosquitto BROKER_IP=192.168.1.15 DEVICE_ID=esp32s3-bench-01 ./generate-certs.sh
```
This produces the CA, broker, backend, and device certificates (gitignored). The device certificate is ready for the esp-mbedtls follow-up that adds device TLS.

Backend ingest

Point the backend at the broker and enable MQTT ingest:

MQTT_ENABLED=true MQTT_HOST=mosquitto   # plus MQTT_USE_TLS / MQTT_PORT / cert paths for 8883

No backend code changes are needed; the firmware emits consumer-ready topics and JSON via aurora-firmware-contracts.

Notes

The bare board has no secure element, so attestation requests are not answered; the device stays in the PENDING attestation state by design.
If the board fails to boot after flashing, reduce the heap or task-arena sizes in the firmware; the bench defaults target a board with at least the standard ESP32-S3 SRAM.

Hardware​

Toolchain (one time)​

Build-time configuration​

Flash and observe​

Security posture (read this)​

Backend ingest​

Notes​