Add flask fetch_firmware command for the Memfault CoreDevice cron

Polls Memfault's releases/latest endpoint for each CoreDevice hardware,
skips versions already recorded in the firmwares table, and for each
new one streams the .pbz down (computing sha256 on the fly), uploads it
to S3 at {S3_PATH}{hardware}/Pebble-{version}-{hardware}.pbz, and
upserts a `normal` row pointing at {FIRMWARE_ROOT}/{hardware}/... with
the computed hash. Idempotent, safe to run from cron.

Also lifts the upsert logic into a Firmware.upsert classmethod so
memfault.py and cli.py can share without a circular import, and adds
MEMFAULT_TOKEN / AWS_ACCESS_KEY / AWS_SECRET_KEY / S3_BUCKET / S3_PATH /
S3_ENDPOINT to settings + docker-compose env passthrough.

Author: aveao

README.md

@@ -10,9 +10,14 @@ Environment variables:
 | Variable | Required | Default | Purpose |
 | --- | --- | --- | --- |
 | `DATABASE_URL` | yes | — | SQLAlchemy DB URL, e.g. `postgresql+psycopg://user:pw@host:5432/cohorts` |
-| `FIRMWARE_ROOT` | no | `https://binaries.rebble.io/fw` | Base URL used by `import_json` to build `.pbz` URLs |
+| `FIRMWARE_ROOT` | no | `https://binaries.rebble.io/fw` | Base URL used by `import_json` and `fetch_firmware` to build `.pbz` URLs |
 | `HONEYCOMB_KEY` | no | — | Honeycomb write key; beeline disabled if unset |
 | `REBBLE_AUTH` | no | — | Rebble auth service URL; if unset, `Authorization` headers on `/cohort` are ignored |
+| `MEMFAULT_TOKEN` | for `fetch_firmware` | — | Memfault project key |
+| `AWS_ACCESS_KEY` / `AWS_SECRET_KEY` | for `fetch_firmware` | — | S3 creds for re-uploading firmware blobs |
+| `S3_BUCKET` | for `fetch_firmware` | — | Target bucket (e.g. `rebble-binaries`) |
+| `S3_PATH` | no | `fw/` | Key prefix inside `S3_BUCKET` (must align with the tail of `FIRMWARE_ROOT`) |
+| `S3_ENDPOINT` | no | — | Custom S3 endpoint URL; leave unset for AWS |
 
 ## Local development
 
@@ -49,6 +54,14 @@ docker compose exec app uv run flask submit_firmware \
 
 `kind` must be `normal` or `recovery`. `--timestamp` defaults to now. Re-running with the same `(hardware, kind, version)` upserts; submitting with a fresh timestamp is how you roll forward or back.
 
+### Fetching CoreDevice firmware from Memfault
+
+```
+docker compose exec app uv run flask fetch_firmware
+```
+
+Checks Memfault's `releases/latest` for each CoreDevice hardware (asterix, obelix_*, getafix_*, obelix_bb*), skips versions already recorded, and for each new one: streams the `.pbz` down while hashing it, uploads it to S3 at `{S3_PATH}{hardware}/Pebble-{version}-{hardware}.pbz`, and upserts a `normal` row with the resulting `{FIRMWARE_ROOT}/…` URL and the computed sha256. Idempotent and safe to run from cron. Requires `MEMFAULT_TOKEN`, `AWS_ACCESS_KEY`, `AWS_SECRET_KEY`, and `S3_BUCKET` in the environment (docker-compose forwards these from the host). Supports `--token`.
+
 ### Migrations
 
 `migrations/` is a standard Flask-Migrate / Alembic layout. `docker compose up` auto-applies pending migrations. To generate a new revision after editing models:

cohorts/cli.py

@@ -4,33 +4,13 @@
 import click
 from flask import cli as flask_cli
 
+from .memfault import fetch_firmware_command
 from .models import Firmware, db
 from .settings import config
 
 VALID_FW_KINDS = ("normal", "recovery")
 
 
-def _upsert_firmware(hardware, kind, version, url, sha256, timestamp, notes):
-    existing = Firmware.query.filter_by(hardware=hardware, kind=kind, version=version).one_or_none()
-    if existing is None:
-        db.session.add(
-            Firmware(
-                hardware=hardware,
-                kind=kind,
-                version=version,
-                url=url,
-                sha256=sha256,
-                timestamp=timestamp,
-                notes=notes,
-            )
-        )
-    else:
-        existing.url = url
-        existing.sha256 = sha256
-        existing.timestamp = timestamp
-        existing.notes = notes
-
-
 @click.command(name="import_json")
 @flask_cli.with_appcontext
 def import_json_command():
@@ -48,7 +28,7 @@ def import_json_command():
             url = f"{config['FIRMWARE_ROOT']}/{hardware}/Pebble-{raw_version}-{hardware}.pbz"
             timestamp = timestamps_map[raw_version]
             notes = notes_map.get(raw_version)
-            _upsert_firmware(hardware, kind, version, url, sha256, timestamp, notes)
+            Firmware.upsert(hardware, kind, version, url, sha256, timestamp, notes)
             count += 1
     db.session.commit()
     click.echo(f"Imported {count} firmware rows.")
@@ -68,11 +48,12 @@ def submit_firmware_command(hardware, kind, version, url, sha256, timestamp, not
         raise click.BadParameter(f"kind must be one of {VALID_FW_KINDS}, got {kind!r}")
     if timestamp is None:
         timestamp = int(time.time())
-    _upsert_firmware(hardware, kind, version, url, sha256, timestamp, notes)
+    Firmware.upsert(hardware, kind, version, url, sha256, timestamp, notes)
     db.session.commit()
     click.echo(f"Submitted firmware {hardware}/{kind}/{version}.")
 
 
 def init_app(app):
     app.cli.add_command(import_json_command)
     app.cli.add_command(submit_firmware_command)
+    app.cli.add_command(fetch_firmware_command)

cohorts/memfault.py

@@ -0,0 +1,156 @@
+import hashlib
+import io
+import time
+
+import boto3
+import click
+import httpx
+from flask import cli as flask_cli
+
+from .models import Firmware, db
+from .settings import config
+
+MEMFAULT_API = "https://api.memfault.com/api/v0/releases/latest"
+
+# Core Devices hardware revisions. These short names are both the `hardware`
+# value we store in the firmwares table and the `hardware_version` string
+# Memfault expects. Based on the mobileapp WatchHardwarePlatform.
+CORE_DEVICES_DEVICES = (
+    "asterix",
+    "obelix_evt",
+    "obelix_dvt",
+    "obelix_pvt",
+    "getafix_evt",
+    "getafix_dvt",
+    "obelix_bb",
+    "obelix_bb2",
+)
+
+
+def _fetch_latest(client, token, hw_revision):
+    resp = client.get(
+        MEMFAULT_API,
+        params={
+            "hardware_version": hw_revision,
+            "software_type": "pebbleos",
+            "device_serial": "REBBLE_COHORTS_CRON",
+        },
+        headers={"Memfault-Project-Key": token},
+    )
+    if resp.status_code == 204:
+        return None
+    resp.raise_for_status()
+    return resp.json()
+
+
+def _download_and_hash(client, url):
+    sha256 = hashlib.sha256()
+    buf = io.BytesIO()
+    with client.stream("GET", url) as resp:
+        resp.raise_for_status()
+        for chunk in resp.iter_bytes(chunk_size=8192):
+            buf.write(chunk)
+            sha256.update(chunk)
+    buf.seek(0)
+    return buf, sha256.hexdigest()
+
+
+def _s3_client():
+    return boto3.client(
+        "s3",
+        aws_access_key_id=config["AWS_ACCESS_KEY"],
+        aws_secret_access_key=config["AWS_SECRET_KEY"],
+        endpoint_url=config["S3_ENDPOINT"],
+    )
+
+
+def _upload(data, s3_key):
+    data.seek(0)
+    _s3_client().upload_fileobj(
+        data,
+        config["S3_BUCKET"],
+        s3_key,
+        ExtraArgs={"ContentType": "application/octet-stream"},
+    )
+
+
+@click.command(name="fetch_firmware")
+@click.option(
+    "--token",
+    default=None,
+    help="Memfault project key (falls back to MEMFAULT_TOKEN env).",
+)
+@flask_cli.with_appcontext
+def fetch_firmware_command(token):
+    """Check Memfault for the latest firmware for each CoreDevice hardware,
+    download + re-upload to our CDN, and upsert into the firmwares table."""
+    token = token or config["MEMFAULT_TOKEN"]
+    if not token:
+        raise click.UsageError("MEMFAULT_TOKEN not set (pass --token or set the env var).")
+    for var in ("AWS_ACCESS_KEY", "AWS_SECRET_KEY", "S3_BUCKET"):
+        if not config[var]:
+            raise click.UsageError(f"{var} env var not set.")
+
+    added = 0
+    skipped = 0
+    failed = 0
+    with httpx.Client(follow_redirects=True, timeout=60.0) as client:
+        for hardware in CORE_DEVICES_DEVICES:
+            click.echo(f"[{hardware}]: ", nl=False)
+            try:
+                info = _fetch_latest(client, token, hardware)
+            except httpx.HTTPStatusError as e:
+                click.echo(f"lookup FAILED ({e.response.status_code})")
+                failed += 1
+                continue
+
+            if info is None:
+                click.echo("no update available")
+                continue
+
+            version = info["version"]
+            notes = info.get("notes") or None
+            artifact_url = info["artifacts"][0]["url"]
+
+            existing = Firmware.query.filter_by(
+                hardware=hardware, kind="normal", version=version
+            ).one_or_none()
+            if existing is not None:
+                click.echo(f"{version} already in DB, skipping")
+                skipped += 1
+                continue
+
+            filename = f"Pebble-{version}-{hardware}.pbz"
+            s3_key = f"{config['S3_PATH']}{hardware}/{filename}"
+            public_url = f"{config['FIRMWARE_ROOT']}/{hardware}/{filename}"
+
+            click.echo(f"{version} downloading... ", nl=False)
+            try:
+                data, sha256 = _download_and_hash(client, artifact_url)
+            except httpx.HTTPStatusError as e:
+                click.echo(f"download FAILED ({e.response.status_code})")
+                failed += 1
+                continue
+
+            click.echo("uploading... ", nl=False)
+            try:
+                _upload(data, s3_key)
+            except Exception as e:
+                click.echo(f"upload FAILED ({e})")
+                failed += 1
+                continue
+
+            Firmware.upsert(
+                hardware=hardware,
+                kind="normal",
+                version=version,
+                url=public_url,
+                sha256=sha256,
+                timestamp=int(time.time()),
+                notes=notes,
+            )
+            db.session.commit()
+            click.echo("OK")
+            added += 1
+
+    click.echo(f"done. {added} added, {skipped} already present, {failed} failed.")

cohorts/models.py

@@ -29,6 +29,27 @@ def to_json(self, archival: bool = False):
             result["hardware"] = self.hardware
         return result
 
+    @classmethod
+    def upsert(cls, hardware, kind, version, url, sha256, timestamp, notes):
+        existing = cls.query.filter_by(hardware=hardware, kind=kind, version=version).one_or_none()
+        if existing is None:
+            db.session.add(
+                cls(
+                    hardware=hardware,
+                    kind=kind,
+                    version=version,
+                    url=url,
+                    sha256=sha256,
+                    timestamp=timestamp,
+                    notes=notes,
+                )
+            )
+        else:
+            existing.url = url
+            existing.sha256 = sha256
+            existing.timestamp = timestamp
+            existing.notes = notes
+
 
 db.Index(
     "ix_firmwares_hardware_kind_timestamp",

cohorts/settings.py

@@ -5,4 +5,10 @@
     "HONEYCOMB_KEY": os.environ.get("HONEYCOMB_KEY"),
     "REBBLE_AUTH": os.environ.get("REBBLE_AUTH"),
     "FIRMWARE_ROOT": os.environ.get("FIRMWARE_ROOT", "https://binaries.rebble.io/fw"),
+    "MEMFAULT_TOKEN": os.environ.get("MEMFAULT_TOKEN"),
+    "AWS_ACCESS_KEY": os.environ.get("AWS_ACCESS_KEY"),
+    "AWS_SECRET_KEY": os.environ.get("AWS_SECRET_KEY"),
+    "S3_BUCKET": os.environ.get("S3_BUCKET"),
+    "S3_PATH": os.environ.get("S3_PATH", "fw/"),
+    "S3_ENDPOINT": os.environ.get("S3_ENDPOINT"),
 }

docker-compose.yaml

@@ -18,6 +18,15 @@ services:
     environment:
       DATABASE_URL: postgresql+psycopg://cohorts:cohorts@db:5432/cohorts
       FLASK_APP: cohorts
+      # Passed through from the host so operators can invoke `flask fetch_firmware`
+      # via `docker compose exec`. Unset on the host -> unset in the container.
+      MEMFAULT_TOKEN: ${MEMFAULT_TOKEN:-}
+      AWS_ACCESS_KEY: ${AWS_ACCESS_KEY:-}
+      AWS_SECRET_KEY: ${AWS_SECRET_KEY:-}
+      S3_BUCKET: ${S3_BUCKET:-}
+      S3_PATH: ${S3_PATH:-fw/}
+      S3_ENDPOINT: ${S3_ENDPOINT:-}
+      FIRMWARE_ROOT: ${FIRMWARE_ROOT:-https://binaries.rebble.io/fw}
     ports:
       - "5000:5000"
     volumes:

pyproject.toml

@@ -5,6 +5,7 @@ description = "The Rebble cohorts API"
 readme = "README.md"
 requires-python = "~=3.14.0"
 dependencies = [
+    "boto3>=1.35.0",
     "flask>=3.1.3",
     "flask-migrate>=4.1.0",
     "flask-sqlalchemy>=3.1.1",