fix: gate Ford VP44 unlock on CAN liveness to prevent false-unlocked reads

Before this fix, StartUnlockIfRequired was called immediately after registering the pump's CAN parameters, before any frames had been decoded. The TestUnlock parameter's zero-initialised Value was interpreted as "unlocked" for Type 1 pumps, causing Phase 1 to be skipped and UnlockCompleted(true) to fire falsely. Changes: - ICanService: add IsPumpAlive property (volatile-backed in PcanAdapter) - PcanAdapter: implement IsPumpAlive; mark _pumpAlive/_benchAlive volatile for safe cross-thread reads - MainViewModel: replace direct StartUnlockIfRequired call with a fire-and-forget WaitForPumpCanThenUnlockAsync that waits for PumpLivenessChanged(true) + 250 ms grace, then invokes unlock on the UI thread; cancellation on pump change or CAN disconnect via _pumpLivenessCts - UnlockService.UnlockAsync: skip Phase 2 state-machine when observer seed already reports unlocked (senders still run to prevent re-lock) Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-22 16:52:16 +02:00
parent 9a593e4ff2
commit da0581967b
4 changed files with 388 additions and 42 deletions
--- a/Services/ICanService.cs
+++ b/Services/ICanService.cs
@@ -41,6 +41,15 @@ namespace HC_APTBS.Services
        /// <summary>True when the CAN read thread is running and the channel is open.</summary>
        bool IsConnected { get; }

+        /// <summary>
+        /// True when pump-ECU frames have been received within the last liveness window.
+        /// Mirrors the last value broadcast via <see cref="PumpLivenessChanged"/>.
+        /// Used by pump-selection flows (e.g. immobilizer unlock) to avoid reading stale
+        /// zero-initialised parameter values before the pump has actually started
+        /// transmitting on the bus.
+        /// </summary>
+        bool IsPumpAlive { get; }
+
        /// <summary>
        /// The PCAN channel handle that will be used on the next <see cref="Connect"/> call.
        /// Defaults to the channel supplied at construction.
--- a/Services/Impl/UnlockService.cs
+++ b/Services/Impl/UnlockService.cs
@@ -87,8 +87,19 @@ namespace HC_APTBS.Services.Impl
            ct.ThrowIfCancellationRequested();

            // ── Phase 2: TestUnlock state machine ────────────────────────────────
-            StatusChanged?.Invoke("Testing unlock...");
-            await RunTestUnlockSequenceAsync(pump.UnlockType, ct).ConfigureAwait(false);
+            // Skip when the observer already latched an unlocked state — the
+            // four 0x700 commands are a no-op in that case and just keep the
+            // dispatcher/CAN bus busy for ~4 s. Senders remain running so the
+            // Ford ECU doesn't re-lock.
+            if (_isPumpUnlocked)
+            {
+                _log.Info(LogId, "Pump already unlocked — skipping Phase 2 state machine");
+            }
+            else
+            {
+                StatusChanged?.Invoke("Testing unlock...");
+                await RunTestUnlockSequenceAsync(pump.UnlockType, ct).ConfigureAwait(false);
+            }

            // ── Verify unlock status via CAN TestUnlock parameter ────────────────
            bool success = VerifyUnlock(pump);