OTA update page restyling, automatically set download URL based on info.repo

[softhack007]

• use same style as other settings pages
• Hide "back" button while update is in progress
• set "download latest binary" URL and badge based on info.repo; directly link to "latest" release
• correct bad name of "Security & Updates" page

old:

--> new:

Summary by CodeRabbit

• New Features

  • Dynamic release badge and download link added to the Update page
  • Back button and contextual Help controls added to the Update interface

• Improvements

  • Title and heading updated to "Security & Update Setup" for consistency
  • Bootloader hash display improved (newline, font size, word-wrap)
  • Update page layout restructured and Update button relabeled

• Behavior

  • Release/download area hides when no release info or on fetch failure; forms and navigation visibility refined

• Improvements

  • Device architecture reporting refined for certain ESP32 variants

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Renames Security page title, restructures the Update UI/DOM (top row, .sec wrappers, dynamic release-download area, bootloader SHA formatting, hideforms behavior), updates button labels, switches fetch to getURL('/json/info'), and makes ESP32 arch serialization explicitly report "esp32" for classic ESP32 builds.

Changes

Cohort / File(s)	Summary
Security page wled00/data/settings_sec.htm	Updated page title and heading text to "Security & Update Setup" (case/wording changes).
Update UI & layout wled00/data/update.htm	Refactored DOM/JS: added top row (Help/Back), wrapped sections in .sec, moved Back control, expanded hideforms() to hide top/bottom controls, changed fetch to getURL('/json/info'), added dynamic release-download link and badge using data.repo with Norelease-download fallback, adjusted bootloader SHA display/styling, and updated button labels (e.g., "Update WLED!").
ESP32 info serialization wled00/json.cpp	In serializeInfo, set arch to string "esp32" when building for classic ESP32 (ARDUINO_ARCH_ESP32 + CONFIG_IDF_TARGET_ESP32); otherwise retain ESP.getChipModel().

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• Info page: Total LEDs, GitHub repo, minor re-styling #5418 — changes to JSON arch/reporting and repo handling overlap with json.cpp and update UI usage.
• Add OTA metadata validation v2 #4998 — overlaps on wled00/data/update.htm UI changes and dynamic /json/info usage.
• Cleanup bootloader SHA256 calculation from #4984 #5128 — related edits to update/bootloader UI and form visibility in update.htm.

Suggested reviewers

• DedeHai
• netmindz

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'OTA update page restyling, automatically set download URL based on info.repo' directly summarizes the main changes: UI restyling and dynamic URL generation based on repository data.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

• 📝 Generate docstrings (stacked PR)
• 📝 Generate docstrings (commit on current branch)

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch update_restyle

📝 Coding Plan

• Generate coding plan for human review comments

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

wled00/data/update.htm (1)

27-33: ⚠️ Potential issue | 🟡 Minor

Keep the release link hidden until a valid repo is confirmed.

The hard-coded upstream badge/link still render before /json/info resolves, and they remain visible in the .catch() path. On custom or offline builds that can still send users to the wrong firmware. Default this block to hidden and only unhide it after a valid data.repo is loaded.

Proposed fix

-					if (data.repo && data.repo !== "unknown") {
+					const releaseDownload = gId('release-download');
+					if (data.repo && data.repo !== "unknown") {
 						document.querySelector('.release-repo').href = "https://github.com/" + data.repo + "/releases/latest";
 						document.querySelector('.release-badge').src = "https://img.shields.io/github/release/" + data.repo + ".svg?style=flat-square";
+						releaseDownload.classList.remove("hide");
 					} else {
-						gId('release-download').classList.add("hide");
+						releaseDownload.classList.add("hide");
 					}
...
 				.catch(error => {
 					console.log('Could not fetch device info:', error);
 					// Fallback to compiled-in value if API call fails
 					document.querySelector('.installed-version').textContent = 'Unknown';
 					document.querySelector('.release-name').textContent = 'Unknown';
+					gId('release-download').classList.add("hide");
 				});
...
-		<div id="release-download">
+		<div id="release-download" class="hide">

Also applies to: 46-50, 74-77

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@wled00/data/update.htm` around lines 27 - 33, Hide the release link/badge by
default and only unhide them when a valid repository is confirmed: add the
"hide" class (or set display:none) to the elements targeted by
document.querySelector('.release-repo'),
document.querySelector('.release-badge') and gId('release-download') before the
/json/info fetch, then inside the success branch where you check data.repo &&
data.repo !== "unknown" remove the "hide" class and set the href/src values (the
block that references data.repo, '.release-repo', '.release-badge', and
gId('release-download')); ensure the catch/error path leaves them hidden so
custom/offline builds never expose incorrect links.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@wled00/data/update.htm`:
- Around line 71-79: The markup nests a block-level element (`#release-download`
div) inside a paragraph causing implicit paragraph closure; fix by removing the
<div id="release-download"> from inside the <p> (e.g., close the paragraph
before the `#release-download` block or convert the wrapping <p> to a block-level
container) so the "Installed version" and "Release" spans (classes sip
installed-version and sip release-name) remain in their own paragraph and the
release-download block is a separate sibling element.

---

Duplicate comments:
In `@wled00/data/update.htm`:
- Around line 27-33: Hide the release link/badge by default and only unhide them
when a valid repository is confirmed: add the "hide" class (or set display:none)
to the elements targeted by document.querySelector('.release-repo'),
document.querySelector('.release-badge') and gId('release-download') before the
/json/info fetch, then inside the success branch where you check data.repo &&
data.repo !== "unknown" remove the "hide" class and set the href/src values (the
block that references data.repo, '.release-repo', '.release-badge', and
gId('release-download')); ensure the catch/error path leaves them hidden so
custom/offline builds never expose incorrect links.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: 24e4456e-7a7b-47c7-8887-b7b7702200f7

📥 Commits

Reviewing files that changed from the base of the PR and between 96571b4 and 52bbf5d.

📒 Files selected for processing (2)

• wled00/data/update.htm
• wled00/json.cpp

[netmindz]

Nice updates

[DedeHai]

Just noticed: it looks like the second "back" button should go on the bottom of the page instead of somewhere in between, as it is on other config pages. Also drop the "setup" in the "security & update setup" title(s)? or is there anything to "set up" on that page?

[KrX3D]

Hello,
since you guys are changing the look on this i want to trow in the page after you picked a bin file and hit update:

it looks kind of odd seeing the Bootloader Update part here. It would be nice if on a normal software update the bootloader update part would be hidden

since the first time i saw this i thought i made a mistake and i had clicked on updating the bootloader

[softhack007]

Hello, since you guys are changing the look on this i want to trow in the page after you picked a bin file and hit update:

it looks kind of odd seeing the Bootloader Update part here. It would be nice if on a normal software update the bootloader update part would be hidden

since the first time i saw this i thought i made a mistake and i had clicked on updating the bootloader

@DedeHai can you check how it looks on 8266? I only have esp32 boards, so I can't test 8266.

I would expect that only the "normal" update shows on 8266, because all firmware images for 8266 are "factory image" = bootloader + wled in one file.

[softhack007]

Just noticed: it looks like the second "back" button should go on the bottom of the page instead of somewhere in between, as it is on other config pages. Also drop the "setup" in the "security & update setup" title(s)? or is there anything to "set up" on that page?

good points 👍 i'll check

[KrX3D]

Hello, since you guys are changing the look on this i want to trow in the page after you picked a bin file and hit update:
it looks kind of odd seeing the Bootloader Update part here. It would be nice if on a normal software update the bootloader update part would be hidden
since the first time i saw this i thought i made a mistake and i had clicked on updating the bootloader

@DedeHai can you check how it looks on 8266? I only have esp32 boards, so I can't test 8266.

I would expect that only the "normal" update shows on 8266, because all firmware images for 8266 are "factory image" = bootloader + wled in one file.

i have this on all my esp32 (several variants) with a version form 11.02.26 , i didnt check the newest changes of the last 4 weeks.
i dont have esp8266 so i dont know if it also happens there.

[softhack007]

Also drop the "setup" in the "security & update setup" title(s)? or is there anything to "set up" on that page?

Yes, in the first section users can setup OTA lock and password.

[softhack007]

@coderabbitai please verity if the update.htm file is compatible with modern browsers and with current WebView frontends. Also check that HTML, CSS and DOM usage is compliant to relevant web standards.

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
cat wled00/data/update.htm
echo "---SEPARATOR---"
# Also check common.js for getURL definition
grep -n "getURL\|function gId\|function cE\|showToast\|function esc\|function safeUrl" wled00/data/common.js | head -40

Length of output: 5466

---

🏁 Script executed:

#!/bin/bash
# Check toggle() implementation in common.js
grep -n "function toggle\|^function toggle\|var toggle\|const toggle\|let toggle" wled00/data/common.js
echo "---"
# Get toggle function body
grep -n -A 10 "^function toggle" wled00/data/common.js
echo "---"
# Check if style.css has vendor-prefixed or non-standard properties
grep -n "\-webkit-\|\-moz-\|\-ms-\|\-o-\|appearance:\|user-select:\|will-change:\|contain:" wled00/data/style.css | head -40
echo "---"
# Check for any non-standard HTML attributes in update.htm
grep -n "x-\|data-\|aria-" wled00/data/update.htm

Length of output: 840

---

@softhack007 — Here is the full compatibility and standards audit of update.htm. Overall the file is compatible with all modern browsers and WebView frontends (Chrome 51+, Firefox 54+, Safari 10+, Edge 15+, Android WebView API 21+, iOS WKWebView 10+). No deprecated APIs are used and all ES6 features are well within support ranges. A few minor conformance points are worth tidying:

---

✅ Browser / WebView Compatibility — No Blocking Issues

All JavaScript features used compile cleanly against modern runtimes:

Feature	Status
Arrow functions, const/let, template literals	✅ ES6, universally supported
fetch() + Promise chaining	✅ Supported (Chrome 42+, Android WebView API 21+, iOS 10.3+)
classList.toggle/add	✅ Widely supported
document.querySelector / getElementById	✅ Standard DOM Level 1/4
window.history.back()	✅ Standard
target="_blank" with rel="noopener noreferrer"	✅ Correct security practice
aria-label on the help button	✅ Good a11y

---

⚠️ Standards / Best-Practice Issues

1. Viewport meta missing initial-scale=1

<!-- current -->
<meta content='width=device-width' name='viewport'>
<!-- recommended -->
<meta name='viewport' content='width=device-width, initial-scale=1'>

Without initial-scale=1, some Android WebViews and older Samsung Browser versions may apply an incorrect initial zoom level. The attribute order name before content also matches the HTML5 spec convention.

---

2. Implicit named global and with-scope access in inline onchange handler (Line 93)

<!-- current -->
<input type='checkbox' onchange="sV.value=checked?1:''">

Two non-obvious behaviours are at play here:

• sV is resolved via the legacy named element global lookup (document['sV']), which is defined in the HTML spec but is explicitly discouraged in favour of getElementById.
• checked resolves through the HTML event handler's implicit with(element) scope chain (WHATWG HTML §8.1.7.1), which puts the element's own properties in scope. This is specced but fragile — this.checked is unambiguous.

<!-- recommended -->
<input type='checkbox' onchange="document.getElementById('sV').value=this.checked?1:''" id="skipValidation">

---

3. Mixed innerText / textContent

textContent is used for .installed-version / .release-name, but innerText for bootloader-hash:

gId('bootloader-hash').innerText = 'Current bootloader SHA256: \n' + data.bootloaderSHA256;

innerText triggers a layout reflow (it's layout-aware) while textContent does not. Both are now standardised (WHATWG), but since the \n here is intended as a visual line break, note that innerText will render \n as a line break only if the element has white-space: pre or white-space: pre-wrap (which word-break: break-all alone does not set). If the SHA256 hash is currently displaying on a new line as intended, it is because innerText sets the DOM accordingly — but textContent with \n would only work visually if the CSS white-space property is set. Consider using:

gId('bootloader-hash').textContent = 'Current bootloader SHA256:';
const br = document.createElement('br');
gId('bootloader-hash').appendChild(br);
gId('bootloader-hash').appendChild(document.createTextNode(data.bootloaderSHA256));

or keeping innerText and adding white-space: pre-wrap to the element's style.

---

4. window.open(url, "_self") for navigation (Line 18)

window.open(getURL("/update?revert"), "_self"); // current
window.location.href = getURL("/update?revert"); // idiomatic

window.open with "_self" works in all browsers but some WebView sandboxes (particularly restricted WKWebView configurations with WKNavigationDelegate) can intercept and block window.open() calls. window.location.href is the standard way to perform a same-document navigation and is never intercepted as a popup.

---

ℹ️ Cosmetic / Low-Priority

5. Redundant type="text/javascript" on <script> tag — text/javascript is the default in HTML5 (per WHATWG HTML §4.12.1), the attribute can be dropped.

6. @import url("style.css") inside <style> — Valid CSS but causes a sequential fetch (the browser must parse the <style> block before discovering style.css). A <link rel="stylesheet" href="style.css"> in <head> would allow earlier parallel discovery. This is consistent with other WLED pages, so it's probably intentional.

---

✅ Correctly Implemented

• toggle('release-download') correctly pairs with #Norelease-download via the toggle() / "No"+el convention in common.js — the show/hide logic is sound.
• toggle('upd') correctly pairs with #Noupd ("Updating..." message) on form submit.
• data.arch && data.arch.toLowerCase() — null guard is correct.
• The <img class="release-badge"> with no initial src is valid HTML5 (omitting src does not trigger a spurious request, unlike src="").

---

🧠 Learnings used

Learnt from: softhack007
Repo: wled/WLED PR: 5381
File: wled00/data/update.htm:2-2
Timestamp: 2026-02-19T13:24:28.983Z
Learning: In WLED, generated embedded header files (html_*.h, js_iro.h, etc.) are NOT stored in the repository and have not been for over 2 years. These files are automatically regenerated during the build process from the source files in wled00/data/. Only the source .htm, .html, .css, and .js files in wled00/data/ should be committed when making web UI changes.

---

Learnt from: CR
Repo: wled/WLED PR: 0
File: .github/copilot-instructions.md:0-0
Timestamp: 2025-10-05T15:24:05.545Z
Learning: Applies to wled00/data/** : For web UI changes, edit files only under wled00/data (not firmware or generated files)

---

Learnt from: CR
Repo: wled/WLED PR: 0
File: .github/copilot-instructions.md:0-0
Timestamp: 2025-10-05T15:24:05.545Z
Learning: Applies to wled00/html_*.h : DO NOT edit generated embedded web header files (wled00/html_*.h)

---

Learnt from: CR
Repo: wled/WLED PR: 0
File: .github/copilot-instructions.md:0-0
Timestamp: 2025-10-05T15:24:05.545Z
Learning: Applies to wled00/data/index.htm : Main web interface entry file is index.htm; ensure it remains present and functional

---

Learnt from: softhack007
Repo: wled/WLED PR: 5381
File: wled00/data/dmxmap.htm:2-2
Timestamp: 2026-02-19T13:23:42.152Z
Learning: In WLED, html_*.h files are NOT stored in the repository. They have been excluded for more than two years and are automatically regenerated as part of the build process. Do not request these files to be committed.

---

Learnt from: CR
Repo: wled/WLED PR: 0
File: .github/copilot-instructions.md:0-0
Timestamp: 2025-10-05T15:24:05.545Z
Learning: Manually validate the web UI after changes (load index, navigation, color controls, effects, settings) and check browser console for JS errors

---

Learnt from: DedeHai
Repo: wled/WLED PR: 5404
File: wled00/data/pixelforge/pixelforge.htm:633-641
Timestamp: 2026-03-05T15:54:44.117Z
Learning: In the WLED codebase, `common.js` (wled00/data/common.js) is the shared utility file loaded by all web UI pages. It already contains helpers like gId, cE, getURL, showToast, etc. It is the appropriate place to add shared sanitization helpers (esc, safeUrl) since they should be available to all pages without duplication. The esc/safeUrl helpers are only strictly necessary for pixelforge.htm's renderTools() because that is the only page fetching content from an external remote source (GitHub Pages). All other innerHTML+template-literal injection points in the WLED web UI (index.js, settings_time.htm, settings_leds.htm, cpal/cpal.htm) use device-local JSON which is considered trusted in the WLED threat model.

---

Learnt from: softhack007
Repo: wled/WLED PR: 0
File: :0-0
Timestamp: 2025-11-14T13:37:30.955Z
Learning: In WLED code reviews, verify that file operations (especially file.open()) respect LittleFS filename limitations. Assume default WLED configuration with LittleFS default filename limit of 255 bytes. Do not assume extreme configuration values like WLED_MAX_SEGNAME_LEN = 512 which would not be standard configurations.

---

Learnt from: willmmiles
Repo: wled/WLED PR: 4998
File: wled00/ota_update.cpp:120-124
Timestamp: 2025-10-11T17:56:24.923Z
Learning: In the WLED OTA update implementation (wled00/ota_update.cpp), the parameter name for bypassing OTA validation is "skipValidation", not "ignoreRelease". The intent evolved from the original spec in issue `#4929` to disable all validation checks, not just release name checks, which is why the broader parameter name "skipValidation" is used.

---

Learnt from: softhack007
Repo: wled/WLED PR: 0
File: :0-0
Timestamp: 2025-11-14T13:37:11.994Z
Learning: In WLED code reviews, when code is modified or added, look for "magic numbers" (hardcoded numeric literals) and suggest replacing them with appropriate defined constants when those constants are meaningful in the context of the PR. For example, the hardcoded value 32 should be replaced with WLED_MAX_SEGNAME_LEN when it represents a segment name length limit. This improves code maintainability and reduces the risk of inconsistencies.

[softhack007]

Tested and behaves as expected on my boards -> ready to merge.

[softhack007]

@coderabbitai re-review all

[coderabbitai]

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
echo "=== update.htm ==="
cat wled00/data/update.htm
echo ""
echo "=== settings_sec.htm (changed lines) ==="
cat wled00/data/settings_sec.htm | head -20
echo ""
echo "=== json.cpp (serializeInfo section) ==="
grep -n "getChipModel\|esp32\|arch\|CONFIG_IDF_TARGET\|ARDUINO_ARCH_ESP32" wled00/json.cpp | head -40
echo ""
echo "=== Check toggle() in common.js ==="
grep -n -A 15 "^function toggle" wled00/data/common.js
echo ""
echo "=== Check getURL in common.js ==="
grep -n -A 5 "function getURL" wled00/data/common.js
echo ""
echo "=== hideforms check - what does update.htm hide? ==="
grep -n "hide\|toggle\|display\|Norelease\|Noupd\|toprow\|bottom\|bootloader" wled00/data/update.htm

Length of output: 9300

---

@softhack007 — Full re-review of all three changed files complete.

---

wled00/data/update.htm

Structural / Logic Review — All Good ✅

Item	Status
fetch(getURL('/json/info')) URL helper	✅ Correct
toggle('release-download') show/hide via common.js convention	✅ Toggles both #release-download and #Norelease-download correctly
gId('Norelease-download').classList.add("hide") on invalid repo / fetch failure	✅ Hides "Checking..." placeholder cleanly
allowBl check with .toLowerCase() for arch comparison	✅ Handles ESP.getChipModel() casing variations
data.arch == "esp8266" (case-sensitive)	✅ json.cpp line 831 consistently returns lowercase "esp8266"
bootloader-hash — white-space: pre-wrap + innerText with \n	✅ Addressed correctly; wrapping works in all frontends including WebView
data.repo used only via .href/.src assignment, not innerHTML	✅ No XSS risk
toggle('bootupd') when no #Nobootupd exists	✅ toggle() guards with if (n), safe

KrX3D's bootloader-section-during-update concern — Addressed ✅

hideforms() now explicitly hides #bootupd:

function hideforms() {
    gId('toprow').classList.add("hide");
    gId('backbtn').classList.add("hide");
    gId('bootupd').classList.add("hide");  // ← hides bootloader section
    toggle('upd');
}

Triggered by onsubmit on both the software update form and the bootloader update form, so the sibling section is always hidden during any update.

DedeHai's back button placement — Addressed ✅

#backbtn is the last element in <body>, correctly at the bottom of the page. Both back buttons are hidden during an update via hideforms().

Previously-flagged minor issues — still present (non-blocking):

1. window.open(getURL("/update?revert"), "_self") — some restricted WKWebView configurations can intercept window.open(). window.location.href = getURL("/update?revert") is the idiomatic same-document navigation.
2. <meta content='width=device-width' name='viewport'> — missing initial-scale=1; inconsistent with settings_sec.htm which has the full viewport meta.
3. type="text/javascript" on the <script> tag — redundant in HTML5.
4. onchange="sV.value=checked?1:''" — uses implicit named-element global (sV) and with-scope checked; document.getElementById('sV').value=this.checked?1:'' is unambiguous.

---

wled00/data/settings_sec.htm

Title changed to "Security & Update Setup" — confirmed appropriate by @softhack007 since the page contains OTA lock and password configuration. ✅

---

wled00/json.cpp

`#if` defined(ARDUINO_ARCH_ESP32) && defined(CONFIG_IDF_TARGET_ESP32)
  root[F("arch")] = "esp32";   // hardcoded lowercase for classic ESP32
`#else`
  root[F("arch")] = ESP.getChipModel();  // S2/S3/C3 etc.
`#endif`

This ensures classic ESP32 reports the same lowercase casing convention as "esp8266", which is the correct direction. The JS allowBl check already uses .toLowerCase() so this doesn't change runtime behavior, but it makes the API contract consistent. ✅

---

Summary: The PR is well-structured, the two main UX concerns (bootloader section visibility during update, back button placement) are correctly addressed, and the dynamic release URL/badge logic is sound. The four minor items above are low-priority and don't block a merge.

---

🧠 Learnings used

Learnt from: softhack007
Repo: wled/WLED PR: 0
File: :0-0
Timestamp: 2025-11-14T13:37:11.994Z
Learning: In WLED code reviews, when code is modified or added, look for "magic numbers" (hardcoded numeric literals) and suggest replacing them with appropriate defined constants when those constants are meaningful in the context of the PR. For example, the hardcoded value 32 should be replaced with WLED_MAX_SEGNAME_LEN when it represents a segment name length limit. This improves code maintainability and reduces the risk of inconsistencies.

---

Learnt from: softhack007
Repo: wled/WLED PR: 0
File: :0-0
Timestamp: 2025-11-14T13:37:30.955Z
Learning: In WLED code reviews, verify that file operations (especially file.open()) respect LittleFS filename limitations. Assume default WLED configuration with LittleFS default filename limit of 255 bytes. Do not assume extreme configuration values like WLED_MAX_SEGNAME_LEN = 512 which would not be standard configurations.

---

Learnt from: softhack007
Repo: wled/WLED PR: 0
File: :0-0
Timestamp: 2025-11-14T13:37:30.955Z
Learning: In WLED code reviews, when code is modified or added, look for "magic numbers" (hardcoded numeric literals) and suggest replacing them with defined constants when meaningful constants exist in the codebase. For example, suggest replacing hardcoded "32" with WLED_MAX_SEGNAME_LEN if the context relates to segment name length limits.

---

Learnt from: softhack007
Repo: wled/WLED PR: 0
File: :0-0
Timestamp: 2025-11-14T13:37:11.994Z
Learning: In WLED code reviews, file operations (especially file.open()) should be checked to ensure they respect LittleFS filename limitations. The default LittleFS filename limit is 255 bytes (LFS_NAME_MAX). Reviews should assume default WLED configuration defines and not extreme edge-case values (e.g., WLED_MAX_SEGNAME_LEN = 512 would not be standard). File paths should be validated to stay within the 255-byte limit.

---

Learnt from: DedeHai
Repo: wled/WLED PR: 5404
File: wled00/data/pixelforge/pixelforge.htm:633-641
Timestamp: 2026-03-05T15:54:44.117Z
Learning: In the WLED codebase, `common.js` (wled00/data/common.js) is the shared utility file loaded by all web UI pages. It already contains helpers like gId, cE, getURL, showToast, etc. It is the appropriate place to add shared sanitization helpers (esc, safeUrl) since they should be available to all pages without duplication. The esc/safeUrl helpers are only strictly necessary for pixelforge.htm's renderTools() because that is the only page fetching content from an external remote source (GitHub Pages). All other innerHTML+template-literal injection points in the WLED web UI (index.js, settings_time.htm, settings_leds.htm, cpal/cpal.htm) use device-local JSON which is considered trusted in the WLED threat model.

---

Learnt from: softhack007
Repo: wled/WLED PR: 5381
File: wled00/data/update.htm:2-2
Timestamp: 2026-02-19T13:24:28.983Z
Learning: In WLED, generated embedded header files (html_*.h, js_iro.h, etc.) are NOT stored in the repository and have not been for over 2 years. These files are automatically regenerated during the build process from the source files in wled00/data/. Only the source .htm, .html, .css, and .js files in wled00/data/ should be committed when making web UI changes.

---

Learnt from: DedeHai
Repo: wled/WLED PR: 4798
File: wled00/FX.cpp:7531-7533
Timestamp: 2025-08-26T11:51:21.817Z
Learning: In WLED PR `#4798`, DedeHai confirmed that certain gamma-related calls in FX.cpp/FX_fcn.cpp/particle systems are intentional for effect-level shaping (e.g., brightness curves, TV sim, Pride 2015 pre-mix), distinct from final output gamma. Do not flag or remove these in future reviews; add comments when feasible to clarify intent.

---

Learnt from: CR
Repo: wled/WLED PR: 0
File: .github/copilot-instructions.md:0-0
Timestamp: 2025-10-05T15:24:05.545Z
Learning: Applies to wled00/data/** : For web UI changes, edit files only under wled00/data (not firmware or generated files)

---

Learnt from: blazoncek
Repo: wled/WLED PR: 5140
File: wled00/data/settings_time.htm:66-76
Timestamp: 2025-12-01T07:01:16.949Z
Learning: In WLED PR `#5134`, the fix for macros being initialized with the enable bit set only handles new configurations, not existing ones. If there is a bug in timer/macro handling code (e.g., in settings_time.htm), it must be fixed to work correctly for existing configurations as well.

---

Learnt from: netmindz
Repo: wled/WLED PR: 5093
File: wled00/util.cpp:1159-1182
Timestamp: 2025-11-20T00:04:04.829Z
Learning: In WLED PR `#5093`, the deviceId feature is designed for opt-in usage reporting that tracks only version/upgrade information (non-behavioral data), not user activity patterns. The deterministic salt approach (MAC + "WLED" + chip model/revision) is acceptable for this limited use case, as correlating MAC addresses to version history represents minimal privacy risk compared to behavioral tracking.

---

Learnt from: willmmiles
Repo: wled/WLED PR: 4998
File: wled00/ota_update.cpp:120-124
Timestamp: 2025-10-11T17:56:24.923Z
Learning: In the WLED OTA update implementation (wled00/ota_update.cpp), the parameter name for bypassing OTA validation is "skipValidation", not "ignoreRelease". The intent evolved from the original spec in issue `#4929` to disable all validation checks, not just release name checks, which is why the broader parameter name "skipValidation" is used.

✅ Actions performed

Full review triggered.