Merge V2.14+fall2025 into main

[rquidute]

Merge V2.14+fall2025 into main

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
8 out of 9 committers have signed the CLA.

✅ rxwen
✅ antonio-amjr
✅ swan-amazon
✅ rquidute
✅ hiltonlima
✅ rl-mediola
✅ kiel-apple
✅ chulspro
❌ Romulo Quidute Filho

---

Romulo Quidute Filho seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[gemini-code-assist]

Summary of Changes

Hello @rquidute, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request integrates the V2.14+fall2025 branch into the main codebase, delivering a comprehensive set of updates to the Test Harness. The changes focus on enhancing the user experience through detailed documentation for new Matter versions and features like Wi-Fi PAF commissioning and camera support. Significant work has also gone into refining the underlying infrastructure, including Docker configurations for improved service communication and robust installation/update mechanisms with better logging and dependency handling. These updates aim to streamline the setup and operation of the Test Harness for certification purposes.

Highlights

• Major Version Update: This pull request merges the V2.14+fall2025 branch into main, signifying a substantial update to the Test Harness with new features and improvements.
• Documentation Enhancements: The user guide (Matter_TH_User_Guide.adoc) has been extensively updated to reflect new Matter versions (up to 1.5), introduce sections for Wi-Fi PAF Commissioning, Matter Test Harness Cameras, and Platform Certification Configuration, and provide updated links and instructions for various tools and processes.
• Docker Configuration Updates: The docker-compose.yml file includes new Traefik configurations to support a pushav service with insecureSkipVerify for self-signed certificates, exposes UDP port 5000 for the backend, and updates the backend and frontend service images. It also adds host.docker.internal to extra_hosts for improved host communication.
• Installation and Update Script Refactoring: Installation and update scripts (auto-install.sh, auto-update.sh) for both Raspberry Pi and Ubuntu have been refactored into modular internal- scripts, improving maintainability and adding logging capabilities. New scripts for sideloading and additional dependency installation have also been introduced.
• Dependency Management Improvements: The Docker CE installation process has been refined to explicitly avoid problematic version 29.x, and new additional dependencies related to GStreamer and FFmpeg have been added to support camera features.
• Subproject Updates: The backend, cli, and frontend subprojects have been updated to their latest respective commits, indicating new features or bug fixes within these core components.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[mergify]

⚠️ The sha of the head commit of this PR conflicts with #790. Mergify cannot evaluate rules on this PR. ⚠️

[gemini-code-assist]

Code Review

This pull request merges the V2.14+fall2025 release branch into main, introducing significant updates. Key changes include the addition of documentation for Wi-Fi PAF Commissioning and Matter Test Harness Cameras, updates to various dependencies and configurations in docker-compose.yml, and extensive refactoring of installation and update scripts to improve logging and robustness.

My review focuses on the correctness and maintainability of these changes. I've identified a critical issue in a refactored update script that will cause it to fail, a high-severity security concern in the docker-compose.yml configuration, and several medium-severity issues in the documentation and a new utility script. These points are detailed in the review comments with suggestions for improvement.

[gemini-code-assist]

This script will fail because it calls print_script_step and verify_return_code without sourcing utils.sh where these functions are defined.

The refactoring to introduce logging seems incomplete. To fix this and make it consistent with other scripts like pi-setup/auto-install.sh, all the operational logic should be moved into internal-auto-update.sh. The auto-update.sh script should only be a wrapper that handles argument checking and calls the internal script while piping its output to a log file.

Specifically, the update-th-code.sh call should be moved into internal-auto-update.sh.

[gemini-code-assist]

Using serversTransport.insecureSkipVerify=true as a global command-line flag disables TLS certificate validation for all backend services, which poses a security risk. While the comment explains this is for push_av_server with a self-signed certificate, it's better to apply this setting only to the specific service that needs it. The comment correctly notes that service-specific transport configurations were introduced in Traefik v2.4. Consider upgrading Traefik from v2.2 to v2.4 or newer. This would allow you to configure insecureSkipVerify on a per-service basis within your dynamic configuration file (traefik_dynamic.yml), improving the overall security of your deployment.

[gemini-code-assist]

This configuration example for wpa_supplicant is not formatted as a code block, and the *** and + characters make it difficult to read and copy. For better clarity and usability, it should be formatted using an AsciiDoc source block.

** TH does not need any special setting, just need to connect to AP. It's ok even using ethernet. But Wi-Fi should be on that I always test by using Wi-Fi connecting to AP. Test wpa_supplicant configure file script is below:
+
[source,ini]
----
ctrl_interface=DIR=/run/wpa_supplicant
update_config=1
network={
  ssid="n_m_2g"
  key_mgmt=WPA-PSK
  psk="nxp12345"
}
----

[gemini-code-assist]

The code block for installing GStreamer is using Markdown syntax (```shell). Since this is an AsciiDoc file, it should be updated to use the correct source block syntax for proper rendering.

[source,shell]
----
sudo apt-get install \
    libgstreamer1.0-dev \
    libgstreamer-plugins-base1.0-dev \
    libgstreamer-plugins-bad1.0-dev \
    gstreamer1.0-plugins-base \
    gstreamer1.0-plugins-good \
    gstreamer1.0-plugins-bad \
    gstreamer1.0-plugins-ugly \
    gstreamer1.0-libav \
    gstreamer1.0-tools \
    gstreamer1.0-x \
    gstreamer1.0-alsa \
    gstreamer1.0-gl \
    gstreamer1.0-gtk3 \
    gstreamer1.0-qt5 \
    gstreamer1.0-pulseaudio
----

[gemini-code-assist]

Hardcoding the container name certification-tool-backend-1 is brittle. The name is generated by docker compose and depends on the project's directory name. It's more robust to look up the container ID using its service name from docker-compose.yml, which is backend.

Consider retrieving the container ID at the beginning of the script and using it for all subsequent docker commands.

Example:

# At the top of the script
BACKEND_SERVICE_NAME="backend"
CONTAINER_ID=$(docker compose ps -q "$BACKEND_SERVICE_NAME")

if [ -z "$CONTAINER_ID" ]; then
    echo "Container for service '$BACKEND_SERVICE_NAME' not found."
    exit 1
fi

# Then use $CONTAINER_ID for all docker commands, e.g.:
docker exec -i "$CONTAINER_ID" ...
docker restart "$CONTAINER_ID"

[mergify]

⚠️ The sha of the head commit of this PR conflicts with #790. Mergify cannot evaluate rules on this PR. ⚠️

[mergify]

⚠️ The sha of the head commit of this PR conflicts with #790. Mergify cannot evaluate rules on this PR. ⚠️