Merge branch 'dev' into str_sprintf

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

esphome/components/alarm_control_panel/alarm_control_panel.cpp

@@ -67,52 +67,29 @@ void AlarmControlPanel::add_on_ready_callback(std::function<void()> &&callback)
   this->ready_callback_.add(std::move(callback));
 }
 
-void AlarmControlPanel::arm_away(optional<std::string> code) {
+void AlarmControlPanel::arm_with_code_(AlarmControlPanelCall &(AlarmControlPanelCall::*arm_method)(),
+                                       const char *code) {
   auto call = this->make_call();
-  call.arm_away();
-  if (code.has_value())
-    call.set_code(code.value());
+  (call.*arm_method)();
+  if (code != nullptr)
+    call.set_code(code);
   call.perform();
 }
 
-void AlarmControlPanel::arm_home(optional<std::string> code) {
-  auto call = this->make_call();
-  call.arm_home();
-  if (code.has_value())
-    call.set_code(code.value());
-  call.perform();
+void AlarmControlPanel::arm_away(const char *code) { this->arm_with_code_(&AlarmControlPanelCall::arm_away, code); }
+
+void AlarmControlPanel::arm_home(const char *code) { this->arm_with_code_(&AlarmControlPanelCall::arm_home, code); }
+
+void AlarmControlPanel::arm_night(const char *code) { this->arm_with_code_(&AlarmControlPanelCall::arm_night, code); }
+
+void AlarmControlPanel::arm_vacation(const char *code) {
+  this->arm_with_code_(&AlarmControlPanelCall::arm_vacation, code);
 }
 
-void AlarmControlPanel::arm_night(optional<std::string> code) {
-  auto call = this->make_call();
-  call.arm_night();
-  if (code.has_value())
-    call.set_code(code.value());
-  call.perform();
+void AlarmControlPanel::arm_custom_bypass(const char *code) {
+  this->arm_with_code_(&AlarmControlPanelCall::arm_custom_bypass, code);
 }
 
-void AlarmControlPanel::arm_vacation(optional<std::string> code) {
-  auto call = this->make_call();
-  call.arm_vacation();
-  if (code.has_value())
-    call.set_code(code.value());
-  call.perform();
-}
-
-void AlarmControlPanel::arm_custom_bypass(optional<std::string> code) {
-  auto call = this->make_call();
-  call.arm_custom_bypass();
-  if (code.has_value())
-    call.set_code(code.value());
-  call.perform();
-}
-
-void AlarmControlPanel::disarm(optional<std::string> code) {
-  auto call = this->make_call();
-  call.disarm();
-  if (code.has_value())
-    call.set_code(code.value());
-  call.perform();
-}
+void AlarmControlPanel::disarm(const char *code) { this->arm_with_code_(&AlarmControlPanelCall::disarm, code); }
 
 }  // namespace esphome::alarm_control_panel

esphome/components/alarm_control_panel/alarm_control_panel.h

@@ -76,37 +76,53 @@ class AlarmControlPanel : public EntityBase {
    *
    * @param code The code
    */
-  void arm_away(optional<std::string> code = nullopt);
+  void arm_away(const char *code = nullptr);
+  void arm_away(const optional<std::string> &code) {
+    this->arm_away(code.has_value() ? code.value().c_str() : nullptr);
+  }
 
   /** arm the alarm in home mode
    *
    * @param code The code
    */
-  void arm_home(optional<std::string> code = nullopt);
+  void arm_home(const char *code = nullptr);
+  void arm_home(const optional<std::string> &code) {
+    this->arm_home(code.has_value() ? code.value().c_str() : nullptr);
+  }
 
   /** arm the alarm in night mode
    *
    * @param code The code
    */
-  void arm_night(optional<std::string> code = nullopt);
+  void arm_night(const char *code = nullptr);
+  void arm_night(const optional<std::string> &code) {
+    this->arm_night(code.has_value() ? code.value().c_str() : nullptr);
+  }
 
   /** arm the alarm in vacation mode
    *
    * @param code The code
    */
-  void arm_vacation(optional<std::string> code = nullopt);
+  void arm_vacation(const char *code = nullptr);
+  void arm_vacation(const optional<std::string> &code) {
+    this->arm_vacation(code.has_value() ? code.value().c_str() : nullptr);
+  }
 
   /** arm the alarm in custom bypass mode
    *
    * @param code The code
    */
-  void arm_custom_bypass(optional<std::string> code = nullopt);
+  void arm_custom_bypass(const char *code = nullptr);
+  void arm_custom_bypass(const optional<std::string> &code) {
+    this->arm_custom_bypass(code.has_value() ? code.value().c_str() : nullptr);
+  }
 
   /** disarm the alarm
    *
    * @param code The code
    */
-  void disarm(optional<std::string> code = nullopt);
+  void disarm(const char *code = nullptr);
+  void disarm(const optional<std::string> &code) { this->disarm(code.has_value() ? code.value().c_str() : nullptr); }
 
   /** Get the state
    *
@@ -118,6 +134,8 @@ class AlarmControlPanel : public EntityBase {
 
  protected:
   friend AlarmControlPanelCall;
+  // Helper to reduce code duplication for arm/disarm methods
+  void arm_with_code_(AlarmControlPanelCall &(AlarmControlPanelCall::*arm_method)(), const char *code);
   // in order to store last panel state in flash
   ESPPreferenceObject pref_;
   // current state

esphome/components/alarm_control_panel/alarm_control_panel_call.cpp

@@ -10,8 +10,10 @@ static const char *const TAG = "alarm_control_panel";
 
 AlarmControlPanelCall::AlarmControlPanelCall(AlarmControlPanel *parent) : parent_(parent) {}
 
-AlarmControlPanelCall &AlarmControlPanelCall::set_code(const std::string &code) {
-  this->code_ = code;
+AlarmControlPanelCall &AlarmControlPanelCall::set_code(const char *code) {
+  if (code != nullptr) {
+    this->code_ = std::string(code);
+  }
   return *this;
 }
 

esphome/components/alarm_control_panel/alarm_control_panel_call.h

@@ -14,7 +14,8 @@ class AlarmControlPanelCall {
  public:
   AlarmControlPanelCall(AlarmControlPanel *parent);
 
-  AlarmControlPanelCall &set_code(const std::string &code);
+  AlarmControlPanelCall &set_code(const char *code);
+  AlarmControlPanelCall &set_code(const std::string &code) { return this->set_code(code.c_str()); }
   AlarmControlPanelCall &arm_away();
   AlarmControlPanelCall &arm_home();
   AlarmControlPanelCall &arm_night();

esphome/components/alarm_control_panel/automation.h

@@ -66,15 +66,7 @@ template<typename... Ts> class ArmAwayAction : public Action<Ts...> {
 
   TEMPLATABLE_VALUE(std::string, code)
 
-  void play(const Ts &...x) override {
-    auto call = this->alarm_control_panel_->make_call();
-    auto code = this->code_.optional_value(x...);
-    if (code.has_value()) {
-      call.set_code(code.value());
-    }
-    call.arm_away();
-    call.perform();
-  }
+  void play(const Ts &...x) override { this->alarm_control_panel_->arm_away(this->code_.optional_value(x...)); }
 
  protected:
   AlarmControlPanel *alarm_control_panel_;
@@ -86,15 +78,7 @@ template<typename... Ts> class ArmHomeAction : public Action<Ts...> {
 
   TEMPLATABLE_VALUE(std::string, code)
 
-  void play(const Ts &...x) override {
-    auto call = this->alarm_control_panel_->make_call();
-    auto code = this->code_.optional_value(x...);
-    if (code.has_value()) {
-      call.set_code(code.value());
-    }
-    call.arm_home();
-    call.perform();
-  }
+  void play(const Ts &...x) override { this->alarm_control_panel_->arm_home(this->code_.optional_value(x...)); }
 
  protected:
   AlarmControlPanel *alarm_control_panel_;
@@ -106,15 +90,7 @@ template<typename... Ts> class ArmNightAction : public Action<Ts...> {
 
   TEMPLATABLE_VALUE(std::string, code)
 
-  void play(const Ts &...x) override {
-    auto call = this->alarm_control_panel_->make_call();
-    auto code = this->code_.optional_value(x...);
-    if (code.has_value()) {
-      call.set_code(code.value());
-    }
-    call.arm_night();
-    call.perform();
-  }
+  void play(const Ts &...x) override { this->alarm_control_panel_->arm_night(this->code_.optional_value(x...)); }
 
  protected:
   AlarmControlPanel *alarm_control_panel_;

esphome/components/esp32_hosted/update/esp32_hosted_update.cpp

@@ -11,6 +11,7 @@
 #include <esp_ota_ops.h>
 
 #ifdef USE_ESP32_HOSTED_HTTP_UPDATE
+#include "esphome/components/http_request/http_request.h"
 #include "esphome/components/json/json_util.h"
 #include "esphome/components/network/util.h"
 #endif
@@ -184,15 +185,23 @@ bool Esp32HostedUpdate::fetch_manifest_() {
   }
 
   // Read manifest JSON into string (manifest is small, ~1KB max)
+  // NOTE: HttpContainer::read() has non-BSD socket semantics - see http_request.h
+  // Use http_read_loop_result() helper instead of checking return values directly
   std::string json_str;
   json_str.reserve(container->content_length);
   uint8_t buf[256];
+  uint32_t last_data_time = millis();
+  const uint32_t read_timeout = this->http_request_parent_->get_timeout();
   while (container->get_bytes_read() < container->content_length) {
-    int read = container->read(buf, sizeof(buf));
-    if (read > 0) {
-      json_str.append(reinterpret_cast<char *>(buf), read);
-    }
+    int read_or_error = container->read(buf, sizeof(buf));
+    App.feed_wdt();
     yield();
+    auto result = http_request::http_read_loop_result(read_or_error, last_data_time, read_timeout);
+    if (result == http_request::HttpReadLoopResult::RETRY)
+      continue;
+    if (result != http_request::HttpReadLoopResult::DATA)
+      break;  // ERROR or TIMEOUT
+    json_str.append(reinterpret_cast<char *>(buf), read_or_error);
   }
   container->end();
 
@@ -297,32 +306,38 @@ bool Esp32HostedUpdate::stream_firmware_to_coprocessor_() {
   }
 
   // Stream firmware to coprocessor while computing SHA256
+  // NOTE: HttpContainer::read() has non-BSD socket semantics - see http_request.h
+  // Use http_read_loop_result() helper instead of checking return values directly
   sha256::SHA256 hasher;
   hasher.init();
 
   uint8_t buffer[CHUNK_SIZE];
+  uint32_t last_data_time = millis();
+  const uint32_t read_timeout = this->http_request_parent_->get_timeout();
   while (container->get_bytes_read() < total_size) {
-    int read = container->read(buffer, sizeof(buffer));
+    int read_or_error = container->read(buffer, sizeof(buffer));
 
     // Feed watchdog and give other tasks a chance to run
     App.feed_wdt();
     yield();
 
-    // Exit loop if no data available (stream closed or end of data)
-    if (read <= 0) {
-      if (read < 0) {
-        ESP_LOGE(TAG, "Stream closed with error");
-        esp_hosted_slave_ota_end();  // NOLINT
-        container->end();
-        this->status_set_error(LOG_STR("Download failed"));
-        return false;
+    auto result = http_request::http_read_loop_result(read_or_error, last_data_time, read_timeout);
+    if (result == http_request::HttpReadLoopResult::RETRY)
+      continue;
+    if (result != http_request::HttpReadLoopResult::DATA) {
+      if (result == http_request::HttpReadLoopResult::TIMEOUT) {
+        ESP_LOGE(TAG, "Timeout reading firmware data");
+      } else {
+        ESP_LOGE(TAG, "Error reading firmware data: %d", read_or_error);
       }
-      // read == 0: no more data available, exit loop
-      break;
+      esp_hosted_slave_ota_end();  // NOLINT
+      container->end();
+      this->status_set_error(LOG_STR("Download failed"));
+      return false;
     }
 
-    hasher.add(buffer, read);
-    err = esp_hosted_slave_ota_write(buffer, read);  // NOLINT
+    hasher.add(buffer, read_or_error);
+    err = esp_hosted_slave_ota_write(buffer, read_or_error);  // NOLINT
     if (err != ESP_OK) {
       ESP_LOGE(TAG, "Failed to write OTA data: %s", esp_err_to_name(err));
       esp_hosted_slave_ota_end();  // NOLINT

esphome/components/esp8266/preferences.cpp

@@ -12,7 +12,6 @@ extern "C" {
 #include "preferences.h"
 
 #include <cstring>
-#include <memory>
 
 namespace esphome::esp8266 {
 
@@ -143,16 +142,8 @@ class ESP8266PreferenceBackend : public ESPPreferenceBackend {
       return false;
 
     const size_t buffer_size = static_cast<size_t>(this->length_words) + 1;
-    uint32_t stack_buffer[PREF_BUFFER_WORDS];
-    std::unique_ptr<uint32_t[]> heap_buffer;
-    uint32_t *buffer;
-
-    if (buffer_size <= PREF_BUFFER_WORDS) {
-      buffer = stack_buffer;
-    } else {
-      heap_buffer = make_unique<uint32_t[]>(buffer_size);
-      buffer = heap_buffer.get();
-    }
+    SmallBufferWithHeapFallback<PREF_BUFFER_WORDS, uint32_t> buffer_alloc(buffer_size);
+    uint32_t *buffer = buffer_alloc.get();
     memset(buffer, 0, buffer_size * sizeof(uint32_t));
 
     memcpy(buffer, data, len);
@@ -167,16 +158,8 @@ class ESP8266PreferenceBackend : public ESPPreferenceBackend {
       return false;
 
     const size_t buffer_size = static_cast<size_t>(this->length_words) + 1;
-    uint32_t stack_buffer[PREF_BUFFER_WORDS];
-    std::unique_ptr<uint32_t[]> heap_buffer;
-    uint32_t *buffer;
-
-    if (buffer_size <= PREF_BUFFER_WORDS) {
-      buffer = stack_buffer;
-    } else {
-      heap_buffer = make_unique<uint32_t[]>(buffer_size);
-      buffer = heap_buffer.get();
-    }
+    SmallBufferWithHeapFallback<PREF_BUFFER_WORDS, uint32_t> buffer_alloc(buffer_size);
+    uint32_t *buffer = buffer_alloc.get();
 
     bool ret = this->in_flash ? load_from_flash(this->offset, buffer, buffer_size)
                               : load_from_rtc(this->offset, buffer, buffer_size);

esphome/components/http_request/http_request.h

@@ -79,6 +79,81 @@ inline bool is_redirect(int const status) {
  */
 inline bool is_success(int const status) { return status >= HTTP_STATUS_OK && status < HTTP_STATUS_MULTIPLE_CHOICES; }
 
+/*
+ * HTTP Container Read Semantics
+ * =============================
+ *
+ * IMPORTANT: These semantics differ from standard BSD sockets!
+ *
+ * BSD socket read() returns:
+ *   > 0: bytes read
+ *   == 0: connection closed (EOF)
+ *   < 0: error (check errno)
+ *
+ * HttpContainer::read() returns:
+ *   > 0: bytes read successfully
+ *   == 0: no data available yet OR all content read
+ *         (caller should check bytes_read vs content_length)
+ *   < 0: error or connection closed (caller should EXIT)
+ *        HTTP_ERROR_CONNECTION_CLOSED (-1) = connection closed prematurely
+ *        other negative values = platform-specific errors
+ *
+ * Platform behaviors:
+ *   - ESP-IDF: blocking reads, 0 only returned when all content read
+ *   - Arduino: non-blocking, 0 means "no data yet" or "all content read"
+ *
+ * Use the helper functions below instead of checking return values directly:
+ *   - http_read_loop_result(): for manual loops with per-chunk processing
+ *   - http_read_fully(): for simple "read N bytes into buffer" operations
+ */
+
+/// Error code returned by HttpContainer::read() when connection closed prematurely
+/// NOTE: Unlike BSD sockets where 0 means EOF, here 0 means "no data yet, retry"
+static constexpr int HTTP_ERROR_CONNECTION_CLOSED = -1;
+
+/// Status of a read operation
+enum class HttpReadStatus : uint8_t {
+  OK,       ///< Read completed successfully
+  ERROR,    ///< Read error occurred
+  TIMEOUT,  ///< Timeout waiting for data
+};
+
+/// Result of an HTTP read operation
+struct HttpReadResult {
+  HttpReadStatus status;  ///< Status of the read operation
+  int error_code;         ///< Error code from read() on failure, 0 on success
+};
+
+/// Result of processing a non-blocking read with timeout (for manual loops)
+enum class HttpReadLoopResult : uint8_t {
+  DATA,     ///< Data was read, process it
+  RETRY,    ///< No data yet, already delayed, caller should continue loop
+  ERROR,    ///< Read error, caller should exit loop
+  TIMEOUT,  ///< Timeout waiting for data, caller should exit loop
+};
+
+/// Process a read result with timeout tracking and delay handling
+/// @param bytes_read_or_error Return value from read() - positive for bytes read, negative for error
+/// @param last_data_time Time of last successful read, updated when data received
+/// @param timeout_ms Maximum time to wait for data
+/// @return DATA if data received, RETRY if should continue loop, ERROR/TIMEOUT if should exit
+inline HttpReadLoopResult http_read_loop_result(int bytes_read_or_error, uint32_t &last_data_time,
+                                                uint32_t timeout_ms) {
+  if (bytes_read_or_error > 0) {
+    last_data_time = millis();
+    return HttpReadLoopResult::DATA;
+  }
+  if (bytes_read_or_error < 0) {
+    return HttpReadLoopResult::ERROR;
+  }
+  // bytes_read_or_error == 0: no data available yet
+  if (millis() - last_data_time >= timeout_ms) {
+    return HttpReadLoopResult::TIMEOUT;
+  }
+  delay(1);  // Small delay to prevent tight spinning
+  return HttpReadLoopResult::RETRY;
+}
+
 class HttpRequestComponent;
 
 class HttpContainer : public Parented<HttpRequestComponent> {
@@ -88,6 +163,33 @@ class HttpContainer : public Parented<HttpRequestComponent> {
   int status_code;
   uint32_t duration_ms;
 
+  /**
+   * @brief Read data from the HTTP response body.
+   *
+   * WARNING: These semantics differ from BSD sockets!
+   * BSD sockets: 0 = EOF (connection closed)
+   * This method: 0 = no data yet OR all content read, negative = error/closed
+   *
+   * @param buf Buffer to read data into
+   * @param max_len Maximum number of bytes to read
+   * @return
+   *   - > 0: Number of bytes read successfully
+   *   - 0: No data available yet OR all content read
+   *        (check get_bytes_read() >= content_length to distinguish)
+   *   - HTTP_ERROR_CONNECTION_CLOSED (-1): Connection closed prematurely
+   *   - < -1: Other error (platform-specific error code)
+   *
+   * Platform notes:
+   *   - ESP-IDF: blocking read, 0 only when all content read
+   *   - Arduino: non-blocking, 0 can mean "no data yet" or "all content read"
+   *
+   * Use get_bytes_read() and content_length to track progress.
+   * When get_bytes_read() >= content_length, all data has been received.
+   *
+   * IMPORTANT: Do not use raw return values directly. Use these helpers:
+   *   - http_read_loop_result(): for loops with per-chunk processing
+   *   - http_read_fully(): for simple "read N bytes" operations
+   */
   virtual int read(uint8_t *buf, size_t max_len) = 0;
   virtual void end() = 0;
 
@@ -110,6 +212,38 @@ class HttpContainer : public Parented<HttpRequestComponent> {
   std::map<std::string, std::list<std::string>> response_headers_{};
 };
 
+/// Read data from HTTP container into buffer with timeout handling
+/// Handles feed_wdt, yield, and timeout checking internally
+/// @param container The HTTP container to read from
+/// @param buffer Buffer to read into
+/// @param total_size Total bytes to read
+/// @param chunk_size Maximum bytes per read call
+/// @param timeout_ms Read timeout in milliseconds
+/// @return HttpReadResult with status and error_code on failure
+inline HttpReadResult http_read_fully(HttpContainer *container, uint8_t *buffer, size_t total_size, size_t chunk_size,
+                                      uint32_t timeout_ms) {
+  size_t read_index = 0;
+  uint32_t last_data_time = millis();
+
+  while (read_index < total_size) {
+    int read_bytes_or_error = container->read(buffer + read_index, std::min(chunk_size, total_size - read_index));
+
+    App.feed_wdt();
+    yield();
+
+    auto result = http_read_loop_result(read_bytes_or_error, last_data_time, timeout_ms);
+    if (result == HttpReadLoopResult::RETRY)
+      continue;
+    if (result == HttpReadLoopResult::ERROR)
+      return {HttpReadStatus::ERROR, read_bytes_or_error};
+    if (result == HttpReadLoopResult::TIMEOUT)
+      return {HttpReadStatus::TIMEOUT, 0};
+
+    read_index += read_bytes_or_error;
+  }
+  return {HttpReadStatus::OK, 0};
+}
+
 class HttpRequestResponseTrigger : public Trigger<std::shared_ptr<HttpContainer>, std::string &> {
  public:
   void process(const std::shared_ptr<HttpContainer> &container, std::string &response_body) {
@@ -124,6 +258,7 @@ class HttpRequestComponent : public Component {
 
   void set_useragent(const char *useragent) { this->useragent_ = useragent; }
   void set_timeout(uint32_t timeout) { this->timeout_ = timeout; }
+  uint32_t get_timeout() const { return this->timeout_; }
   void set_watchdog_timeout(uint32_t watchdog_timeout) { this->watchdog_timeout_ = watchdog_timeout; }
   uint32_t get_watchdog_timeout() const { return this->watchdog_timeout_; }
   void set_follow_redirects(bool follow_redirects) { this->follow_redirects_ = follow_redirects; }
@@ -249,15 +384,21 @@ template<typename... Ts> class HttpRequestSendAction : public Action<Ts...> {
       RAMAllocator<uint8_t> allocator;
       uint8_t *buf = allocator.allocate(max_length);
       if (buf != nullptr) {
+        // NOTE: HttpContainer::read() has non-BSD socket semantics - see top of this file
+        // Use http_read_loop_result() helper instead of checking return values directly
         size_t read_index = 0;
+        uint32_t last_data_time = millis();
+        const uint32_t read_timeout = this->parent_->get_timeout();
         while (container->get_bytes_read() < max_length) {
-          int read = container->read(buf + read_index, std::min<size_t>(max_length - read_index, 512));
-          if (read <= 0) {
-            break;
-          }
+          int read_or_error = container->read(buf + read_index, std::min<size_t>(max_length - read_index, 512));
           App.feed_wdt();
           yield();
-          read_index += read;
+          auto result = http_read_loop_result(read_or_error, last_data_time, read_timeout);
+          if (result == HttpReadLoopResult::RETRY)
+            continue;
+          if (result != HttpReadLoopResult::DATA)
+            break;  // ERROR or TIMEOUT
+          read_index += read_or_error;
         }
         response_body.reserve(read_index);
         response_body.assign((char *) buf, read_index);

esphome/components/http_request/http_request_arduino.cpp

@@ -139,6 +139,23 @@ std::shared_ptr<HttpContainer> HttpRequestArduino::perform(const std::string &ur
   return container;
 }
 
+// Arduino HTTP read implementation
+//
+// WARNING: Return values differ from BSD sockets! See http_request.h for full documentation.
+//
+// Arduino's WiFiClient is inherently non-blocking - available() returns 0 when
+// no data is ready. We use connected() to distinguish "no data yet" from
+// "connection closed".
+//
+// WiFiClient behavior:
+//   available() > 0: data ready to read
+//   available() == 0 && connected(): no data yet, still connected
+//   available() == 0 && !connected(): connection closed
+//
+// We normalize to HttpContainer::read() contract (NOT BSD socket semantics!):
+//   > 0: bytes read
+//   0: no data yet, retry            <-- NOTE: 0 means retry, NOT EOF!
+//   < 0: error/connection closed     <-- connection closed returns -1, not 0
 int HttpContainerArduino::read(uint8_t *buf, size_t max_len) {
   const uint32_t start = millis();
   watchdog::WatchdogManager wdm(this->parent_->get_watchdog_timeout());
@@ -146,7 +163,7 @@ int HttpContainerArduino::read(uint8_t *buf, size_t max_len) {
   WiFiClient *stream_ptr = this->client_.getStreamPtr();
   if (stream_ptr == nullptr) {
     ESP_LOGE(TAG, "Stream pointer vanished!");
-    return -1;
+    return HTTP_ERROR_CONNECTION_CLOSED;
   }
 
   int available_data = stream_ptr->available();
@@ -154,7 +171,15 @@ int HttpContainerArduino::read(uint8_t *buf, size_t max_len) {
 
   if (bufsize == 0) {
     this->duration_ms += (millis() - start);
-    return 0;
+    // Check if we've read all expected content
+    if (this->bytes_read_ >= this->content_length) {
+      return 0;  // All content read successfully
+    }
+    // No data available - check if connection is still open
+    if (!stream_ptr->connected()) {
+      return HTTP_ERROR_CONNECTION_CLOSED;  // Connection closed prematurely
+    }
+    return 0;  // No data yet, caller should retry
   }
 
   App.feed_wdt();

esphome/components/http_request/http_request_idf.cpp

@@ -209,26 +209,57 @@ std::shared_ptr<HttpContainer> HttpRequestIDF::perform(const std::string &url, c
   return container;
 }
 
+// ESP-IDF HTTP read implementation (blocking mode)
+//
+// WARNING: Return values differ from BSD sockets! See http_request.h for full documentation.
+//
+// esp_http_client_read() in blocking mode returns:
+//   > 0: bytes read
+//   0: connection closed (end of stream)
+//   < 0: error
+//
+// We normalize to HttpContainer::read() contract:
+//   > 0: bytes read
+//   0: no data yet / all content read (caller should check bytes_read vs content_length)
+//   < 0: error/connection closed
 int HttpContainerIDF::read(uint8_t *buf, size_t max_len) {
   const uint32_t start = millis();
   watchdog::WatchdogManager wdm(this->parent_->get_watchdog_timeout());
 
-  this->feed_wdt();
-  int read_len = esp_http_client_read(this->client_, (char *) buf, max_len);
-  this->feed_wdt();
-  if (read_len > 0) {
-    this->bytes_read_ += read_len;
+  // Check if we've already read all expected content
+  if (this->bytes_read_ >= this->content_length) {
+    return 0;  // All content read successfully
   }
+
+  this->feed_wdt();
+  int read_len_or_error = esp_http_client_read(this->client_, (char *) buf, max_len);
+  this->feed_wdt();
+
   this->duration_ms += (millis() - start);
 
-  return read_len;
+  if (read_len_or_error > 0) {
+    this->bytes_read_ += read_len_or_error;
+    return read_len_or_error;
+  }
+
+  // Connection closed by server before all content received
+  if (read_len_or_error == 0) {
+    return HTTP_ERROR_CONNECTION_CLOSED;
+  }
+
+  // Negative value - error, return the actual error code for debugging
+  return read_len_or_error;
 }
 
 void HttpContainerIDF::end() {
+  if (this->client_ == nullptr) {
+    return;  // Already cleaned up
+  }
   watchdog::WatchdogManager wdm(this->parent_->get_watchdog_timeout());
 
   esp_http_client_close(this->client_);
   esp_http_client_cleanup(this->client_);
+  this->client_ = nullptr;
 }
 
 void HttpContainerIDF::feed_wdt() {

esphome/components/http_request/ota/ota_http_request.cpp

@@ -115,39 +115,47 @@ uint8_t OtaHttpRequestComponent::do_ota_() {
     return error_code;
   }
 
+  // NOTE: HttpContainer::read() has non-BSD socket semantics - see http_request.h
+  // Use http_read_loop_result() helper instead of checking return values directly
+  uint32_t last_data_time = millis();
+  const uint32_t read_timeout = this->parent_->get_timeout();
+
   while (container->get_bytes_read() < container->content_length) {
-    // read a maximum of chunk_size bytes into buf. (real read size returned)
-    int bufsize = container->read(buf, OtaHttpRequestComponent::HTTP_RECV_BUFFER);
-    ESP_LOGVV(TAG, "bytes_read_ = %u, body_length_ = %u, bufsize = %i", container->get_bytes_read(),
-              container->content_length, bufsize);
+    // read a maximum of chunk_size bytes into buf. (real read size returned, or negative error code)
+    int bufsize_or_error = container->read(buf, OtaHttpRequestComponent::HTTP_RECV_BUFFER);
+    ESP_LOGVV(TAG, "bytes_read_ = %u, body_length_ = %u, bufsize_or_error = %i", container->get_bytes_read(),
+              container->content_length, bufsize_or_error);
 
     // feed watchdog and give other tasks a chance to run
     App.feed_wdt();
     yield();
 
-    // Exit loop if no data available (stream closed or end of data)
-    if (bufsize <= 0) {
-      if (bufsize < 0) {
-        ESP_LOGE(TAG, "Stream closed with error");
-        this->cleanup_(std::move(backend), container);
-        return OTA_CONNECTION_ERROR;
+    auto result = http_read_loop_result(bufsize_or_error, last_data_time, read_timeout);
+    if (result == HttpReadLoopResult::RETRY)
+      continue;
+    if (result != HttpReadLoopResult::DATA) {
+      if (result == HttpReadLoopResult::TIMEOUT) {
+        ESP_LOGE(TAG, "Timeout reading data");
+      } else {
+        ESP_LOGE(TAG, "Error reading data: %d", bufsize_or_error);
       }
-      // bufsize == 0: no more data available, exit loop
-      break;
+      this->cleanup_(std::move(backend), container);
+      return OTA_CONNECTION_ERROR;
     }
 
-    if (bufsize <= OtaHttpRequestComponent::HTTP_RECV_BUFFER) {
+    // At this point bufsize_or_error > 0, so it's a valid size
+    if (bufsize_or_error <= OtaHttpRequestComponent::HTTP_RECV_BUFFER) {
       // add read bytes to MD5
-      md5_receive.add(buf, bufsize);
+      md5_receive.add(buf, bufsize_or_error);
 
       // write bytes to OTA backend
       this->update_started_ = true;
-      error_code = backend->write(buf, bufsize);
+      error_code = backend->write(buf, bufsize_or_error);
       if (error_code != ota::OTA_RESPONSE_OK) {
         // error code explanation available at
         // https://github.com/esphome/esphome/blob/dev/esphome/components/ota/ota_backend.h
         ESP_LOGE(TAG, "Error code (%02X) writing binary data to flash at offset %d and size %d", error_code,
-                 container->get_bytes_read() - bufsize, container->content_length);
+                 container->get_bytes_read() - bufsize_or_error, container->content_length);
         this->cleanup_(std::move(backend), container);
         return error_code;
       }
@@ -244,19 +252,19 @@ bool OtaHttpRequestComponent::http_get_md5_() {
   }
 
   this->md5_expected_.resize(MD5_SIZE);
-  int read_len = 0;
-  while (container->get_bytes_read() < MD5_SIZE) {
-    read_len = container->read((uint8_t *) this->md5_expected_.data(), MD5_SIZE);
-    if (read_len <= 0) {
-      break;
-    }
-    App.feed_wdt();
-    yield();
-  }
+  auto result = http_read_fully(container.get(), (uint8_t *) this->md5_expected_.data(), MD5_SIZE, MD5_SIZE,
+                                this->parent_->get_timeout());
   container->end();
 
-  ESP_LOGV(TAG, "Read len: %u, MD5 expected: %u", read_len, MD5_SIZE);
-  return read_len == MD5_SIZE;
+  if (result.status != HttpReadStatus::OK) {
+    if (result.status == HttpReadStatus::TIMEOUT) {
+      ESP_LOGE(TAG, "Timeout reading MD5");
+    } else {
+      ESP_LOGE(TAG, "Error reading MD5: %d", result.error_code);
+    }
+    return false;
+  }
+  return true;
 }
 
 bool OtaHttpRequestComponent::validate_url_(const std::string &url) {

esphome/components/http_request/update/http_request_update.cpp

@@ -11,7 +11,12 @@ namespace http_request {
 
 // The update function runs in a task only on ESP32s.
 #ifdef USE_ESP32
-#define UPDATE_RETURN vTaskDelete(nullptr)  // Delete the current update task
+// vTaskDelete doesn't return, but clang-tidy doesn't know that
+#define UPDATE_RETURN \
+  do { \
+    vTaskDelete(nullptr); \
+    __builtin_unreachable(); \
+  } while (0)
 #else
 #define UPDATE_RETURN return
 #endif
@@ -70,19 +75,21 @@ void HttpRequestUpdate::update_task(void *params) {
     UPDATE_RETURN;
   }
 
-  size_t read_index = 0;
-  while (container->get_bytes_read() < container->content_length) {
-    int read_bytes = container->read(data + read_index, MAX_READ_SIZE);
-
-    yield();
-
-    if (read_bytes <= 0) {
-      // Network error or connection closed - break to avoid infinite loop
-      break;
+  auto read_result = http_read_fully(container.get(), data, container->content_length, MAX_READ_SIZE,
+                                     this_update->request_parent_->get_timeout());
+  if (read_result.status != HttpReadStatus::OK) {
+    if (read_result.status == HttpReadStatus::TIMEOUT) {
+      ESP_LOGE(TAG, "Timeout reading manifest");
+    } else {
+      ESP_LOGE(TAG, "Error reading manifest: %d", read_result.error_code);
     }
-
-    read_index += read_bytes;
+    // Defer to main loop to avoid race condition on component_state_ read-modify-write
+    this_update->defer([this_update]() { this_update->status_set_error(LOG_STR("Failed to read manifest")); });
+    allocator.deallocate(data, container->content_length);
+    container->end();
+    UPDATE_RETURN;
   }
+  size_t read_index = container->get_bytes_read();
 
   bool valid = false;
   {  // Ensures the response string falls out of scope and deallocates before the task ends

esphome/components/mqtt/custom_mqtt_device.cpp

@@ -18,7 +18,7 @@ bool CustomMQTTDevice::publish(const std::string &topic, float value, int8_t num
 }
 bool CustomMQTTDevice::publish(const std::string &topic, int value) {
   char buffer[24];
-  int len = snprintf(buffer, sizeof(buffer), "%d", value);
+  size_t len = buf_append_printf(buffer, sizeof(buffer), 0, "%d", value);
   return global_mqtt_client->publish(topic, buffer, len);
 }
 bool CustomMQTTDevice::publish_json(const std::string &topic, const json::json_build_t &f, uint8_t qos, bool retain) {

esphome/components/mqtt/mqtt_alarm_control_panel.cpp

@@ -43,7 +43,7 @@ void MQTTAlarmControlPanelComponent::setup() {
 
 void MQTTAlarmControlPanelComponent::dump_config() {
   ESP_LOGCONFIG(TAG, "MQTT alarm_control_panel '%s':", this->alarm_control_panel_->get_name().c_str());
-  LOG_MQTT_COMPONENT(true, true)
+  LOG_MQTT_COMPONENT(true, true);
   ESP_LOGCONFIG(TAG,
                 "  Supported Features: %" PRIu32 "\n"
                 "  Requires Code to Disarm: %s\n"

esphome/components/mqtt/mqtt_binary_sensor.cpp

@@ -19,7 +19,7 @@ void MQTTBinarySensorComponent::setup() {
 
 void MQTTBinarySensorComponent::dump_config() {
   ESP_LOGCONFIG(TAG, "MQTT Binary Sensor '%s':", this->binary_sensor_->get_name().c_str());
-  LOG_MQTT_COMPONENT(true, false)
+  LOG_MQTT_COMPONENT(true, false);
 }
 MQTTBinarySensorComponent::MQTTBinarySensorComponent(binary_sensor::BinarySensor *binary_sensor)
     : binary_sensor_(binary_sensor) {

esphome/components/mqtt/mqtt_client.cpp

@@ -98,7 +98,17 @@ void MQTTClientComponent::send_device_info_() {
         uint8_t index = 0;
         for (auto &ip : network::get_ip_addresses()) {
           if (ip.is_set()) {
-            root["ip" + (index == 0 ? "" : esphome::to_string(index))] = ip.str();
+            char key[8];  // "ip" + up to 3 digits + null
+            char ip_buf[network::IP_ADDRESS_BUFFER_SIZE];
+            if (index == 0) {
+              key[0] = 'i';
+              key[1] = 'p';
+              key[2] = '\0';
+            } else {
+              buf_append_printf(key, sizeof(key), 0, "ip%u", index);
+            }
+            ip.str_to(ip_buf);
+            root[key] = ip_buf;
             index++;
           }
         }

esphome/components/mqtt/mqtt_component.cpp

@@ -27,20 +27,23 @@ inline char *append_char(char *p, char c) {
 // Max lengths for stack-based topic building.
 // These limits are enforced at Python config validation time in mqtt/__init__.py
 // using cv.Length() validators for topic_prefix and discovery_prefix.
-// MQTT_COMPONENT_TYPE_MAX_LEN and MQTT_SUFFIX_MAX_LEN are defined in mqtt_component.h.
+// MQTT_COMPONENT_TYPE_MAX_LEN, MQTT_SUFFIX_MAX_LEN, and MQTT_DEFAULT_TOPIC_MAX_LEN are in mqtt_component.h.
 // ESPHOME_DEVICE_NAME_MAX_LEN and OBJECT_ID_MAX_LEN are defined in entity_base.h.
 // This ensures the stack buffers below are always large enough.
-static constexpr size_t TOPIC_PREFIX_MAX_LEN = 64;      // Validated in Python: cv.Length(max=64)
 static constexpr size_t DISCOVERY_PREFIX_MAX_LEN = 64;  // Validated in Python: cv.Length(max=64)
-
-// Stack buffer sizes - safe because all inputs are length-validated at config time
-// Format: prefix + "/" + type + "/" + object_id + "/" + suffix + null
-static constexpr size_t DEFAULT_TOPIC_MAX_LEN =
-    TOPIC_PREFIX_MAX_LEN + 1 + MQTT_COMPONENT_TYPE_MAX_LEN + 1 + OBJECT_ID_MAX_LEN + 1 + MQTT_SUFFIX_MAX_LEN + 1;
 // Format: prefix + "/" + type + "/" + name + "/" + object_id + "/config" + null
 static constexpr size_t DISCOVERY_TOPIC_MAX_LEN = DISCOVERY_PREFIX_MAX_LEN + 1 + MQTT_COMPONENT_TYPE_MAX_LEN + 1 +
                                                   ESPHOME_DEVICE_NAME_MAX_LEN + 1 + OBJECT_ID_MAX_LEN + 7 + 1;
 
+// Function implementation of LOG_MQTT_COMPONENT macro to reduce code size
+void log_mqtt_component(const char *tag, MQTTComponent *obj, bool state_topic, bool command_topic) {
+  char buf[MQTT_DEFAULT_TOPIC_MAX_LEN];
+  if (state_topic)
+    ESP_LOGCONFIG(tag, "  State Topic: '%s'", obj->get_state_topic_to_(buf).c_str());
+  if (command_topic)
+    ESP_LOGCONFIG(tag, "  Command Topic: '%s'", obj->get_command_topic_to_(buf).c_str());
+}
+
 void MQTTComponent::set_qos(uint8_t qos) { this->qos_ = qos; }
 
 void MQTTComponent::set_subscribe_qos(uint8_t qos) { this->subscribe_qos_ = qos; }
@@ -69,19 +72,18 @@ std::string MQTTComponent::get_discovery_topic_(const MQTTDiscoveryInfo &discove
   return std::string(buf, p - buf);
 }
 
-std::string MQTTComponent::get_default_topic_for_(const std::string &suffix) const {
+StringRef MQTTComponent::get_default_topic_for_to_(std::span<char, MQTT_DEFAULT_TOPIC_MAX_LEN> buf, const char *suffix,
+                                                   size_t suffix_len) const {
   const std::string &topic_prefix = global_mqtt_client->get_topic_prefix();
   if (topic_prefix.empty()) {
-    // If the topic_prefix is null, the default topic should be null
-    return "";
+    return StringRef();  // Empty topic_prefix means no default topic
   }
 
   const char *comp_type = this->component_type();
   char object_id_buf[OBJECT_ID_MAX_LEN];
   StringRef object_id = this->get_default_object_id_to_(object_id_buf);
 
-  char buf[DEFAULT_TOPIC_MAX_LEN];
-  char *p = buf;
+  char *p = buf.data();
 
   p = append_str(p, topic_prefix.data(), topic_prefix.size());
   p = append_char(p, '/');
@@ -89,21 +91,44 @@ std::string MQTTComponent::get_default_topic_for_(const std::string &suffix) con
   p = append_char(p, '/');
   p = append_str(p, object_id.c_str(), object_id.size());
   p = append_char(p, '/');
-  p = append_str(p, suffix.data(), suffix.size());
+  p = append_str(p, suffix, suffix_len);
+  *p = '\0';
 
-  return std::string(buf, p - buf);
+  return StringRef(buf.data(), p - buf.data());
+}
+
+std::string MQTTComponent::get_default_topic_for_(const std::string &suffix) const {
+  char buf[MQTT_DEFAULT_TOPIC_MAX_LEN];
+  StringRef ref = this->get_default_topic_for_to_(buf, suffix.data(), suffix.size());
+  return std::string(ref.c_str(), ref.size());
+}
+
+StringRef MQTTComponent::get_state_topic_to_(std::span<char, MQTT_DEFAULT_TOPIC_MAX_LEN> buf) const {
+  if (this->custom_state_topic_.has_value()) {
+    // Returns ref to existing data for static/value, uses buf only for lambda case
+    return this->custom_state_topic_.ref_or_copy_to(buf.data(), buf.size());
+  }
+  return this->get_default_topic_for_to_(buf, "state", 5);
+}
+
+StringRef MQTTComponent::get_command_topic_to_(std::span<char, MQTT_DEFAULT_TOPIC_MAX_LEN> buf) const {
+  if (this->custom_command_topic_.has_value()) {
+    // Returns ref to existing data for static/value, uses buf only for lambda case
+    return this->custom_command_topic_.ref_or_copy_to(buf.data(), buf.size());
+  }
+  return this->get_default_topic_for_to_(buf, "command", 7);
 }
 
 std::string MQTTComponent::get_state_topic_() const {
-  if (this->custom_state_topic_.has_value())
-    return this->custom_state_topic_.value();
-  return this->get_default_topic_for_("state");
+  char buf[MQTT_DEFAULT_TOPIC_MAX_LEN];
+  StringRef ref = this->get_state_topic_to_(buf);
+  return std::string(ref.c_str(), ref.size());
 }
 
 std::string MQTTComponent::get_command_topic_() const {
-  if (this->custom_command_topic_.has_value())
-    return this->custom_command_topic_.value();
-  return this->get_default_topic_for_("command");
+  char buf[MQTT_DEFAULT_TOPIC_MAX_LEN];
+  StringRef ref = this->get_command_topic_to_(buf);
+  return std::string(ref.c_str(), ref.size());
 }
 
 bool MQTTComponent::publish(const std::string &topic, const std::string &payload) {
@@ -168,10 +193,14 @@ bool MQTTComponent::send_discovery_() {
             break;
         }
 
-        if (config.state_topic)
-          root[MQTT_STATE_TOPIC] = this->get_state_topic_();
-        if (config.command_topic)
-          root[MQTT_COMMAND_TOPIC] = this->get_command_topic_();
+        if (config.state_topic) {
+          char state_topic_buf[MQTT_DEFAULT_TOPIC_MAX_LEN];
+          root[MQTT_STATE_TOPIC] = this->get_state_topic_to_(state_topic_buf);
+        }
+        if (config.command_topic) {
+          char command_topic_buf[MQTT_DEFAULT_TOPIC_MAX_LEN];
+          root[MQTT_COMMAND_TOPIC] = this->get_command_topic_to_(command_topic_buf);
+        }
         if (this->command_retain_)
           root[MQTT_COMMAND_RETAIN] = true;
 
@@ -190,27 +219,37 @@ bool MQTTComponent::send_discovery_() {
         StringRef object_id = this->get_default_object_id_to_(object_id_buf);
         if (discovery_info.unique_id_generator == MQTT_MAC_ADDRESS_UNIQUE_ID_GENERATOR) {
           char friendly_name_hash[9];
-          snprintf(friendly_name_hash, sizeof(friendly_name_hash), "%08" PRIx32, fnv1_hash(this->friendly_name_()));
+          buf_append_printf(friendly_name_hash, sizeof(friendly_name_hash), 0, "%08" PRIx32,
+                            fnv1_hash(this->friendly_name_()));
           // Format: mac-component_type-hash (e.g. "aabbccddeeff-sensor-12345678")
           // MAC (12) + "-" (1) + domain (max 20) + "-" (1) + hash (8) + null (1) = 43
           char unique_id[MAC_ADDRESS_BUFFER_SIZE + ESPHOME_DOMAIN_MAX_LEN + 11];
           char mac_buf[MAC_ADDRESS_BUFFER_SIZE];
           get_mac_address_into_buffer(mac_buf);
-          snprintf(unique_id, sizeof(unique_id), "%s-%s-%s", mac_buf, this->component_type(), friendly_name_hash);
+          buf_append_printf(unique_id, sizeof(unique_id), 0, "%s-%s-%s", mac_buf, this->component_type(),
+                            friendly_name_hash);
           root[MQTT_UNIQUE_ID] = unique_id;
         } else {
           // default to almost-unique ID. It's a hack but the only way to get that
           // gorgeous device registry view.
-          root[MQTT_UNIQUE_ID] = "ESP" + std::string(this->component_type()) + object_id.c_str();
+          // "ESP" (3) + component_type (max 20) + object_id (max 128) + null
+          char unique_id_buf[3 + MQTT_COMPONENT_TYPE_MAX_LEN + OBJECT_ID_MAX_LEN + 1];
+          buf_append_printf(unique_id_buf, sizeof(unique_id_buf), 0, "ESP%s%s", this->component_type(),
+                            object_id.c_str());
+          root[MQTT_UNIQUE_ID] = unique_id_buf;
         }
 
         const std::string &node_name = App.get_name();
-        if (discovery_info.object_id_generator == MQTT_DEVICE_NAME_OBJECT_ID_GENERATOR)
-          root[MQTT_OBJECT_ID] = node_name + "_" + object_id.c_str();
+        if (discovery_info.object_id_generator == MQTT_DEVICE_NAME_OBJECT_ID_GENERATOR) {
+          // node_name (max 31) + "_" (1) + object_id (max 128) + null
+          char object_id_full[ESPHOME_DEVICE_NAME_MAX_LEN + 1 + OBJECT_ID_MAX_LEN + 1];
+          buf_append_printf(object_id_full, sizeof(object_id_full), 0, "%s_%s", node_name.c_str(), object_id.c_str());
+          root[MQTT_OBJECT_ID] = object_id_full;
+        }
 
         const std::string &friendly_name_ref = App.get_friendly_name();
         const std::string &node_friendly_name = friendly_name_ref.empty() ? node_name : friendly_name_ref;
-        std::string node_area = App.get_area();
+        const char *node_area = App.get_area();
 
         JsonObject device_info = root[MQTT_DEVICE].to<JsonObject>();
         char mac[MAC_ADDRESS_BUFFER_SIZE];
@@ -221,18 +260,29 @@ bool MQTTComponent::send_discovery_() {
         device_info[MQTT_DEVICE_SW_VERSION] = ESPHOME_PROJECT_VERSION " (ESPHome " ESPHOME_VERSION ")";
         const char *model = std::strchr(ESPHOME_PROJECT_NAME, '.');
         device_info[MQTT_DEVICE_MODEL] = model == nullptr ? ESPHOME_BOARD : model + 1;
-        device_info[MQTT_DEVICE_MANUFACTURER] =
-            model == nullptr ? ESPHOME_PROJECT_NAME : std::string(ESPHOME_PROJECT_NAME, model - ESPHOME_PROJECT_NAME);
+        if (model == nullptr) {
+          device_info[MQTT_DEVICE_MANUFACTURER] = ESPHOME_PROJECT_NAME;
+        } else {
+          // Extract manufacturer (part before '.') using stack buffer to avoid heap allocation
+          // memcpy is used instead of strncpy since we know the exact length and strncpy
+          // would still require manual null-termination
+          char manufacturer[sizeof(ESPHOME_PROJECT_NAME)];
+          size_t len = model - ESPHOME_PROJECT_NAME;
+          memcpy(manufacturer, ESPHOME_PROJECT_NAME, len);
+          manufacturer[len] = '\0';
+          device_info[MQTT_DEVICE_MANUFACTURER] = manufacturer;
+        }
 #else
         static const char ver_fmt[] PROGMEM = ESPHOME_VERSION " (config hash 0x%08" PRIx32 ")";
+        // Buffer sized for format string expansion: ~4 bytes net growth from format specifier to 8 hex digits, plus
+        // safety margin
+        char version_buf[sizeof(ver_fmt) + 8];
 #ifdef USE_ESP8266
-        char fmt_buf[sizeof(ver_fmt)];
-        strcpy_P(fmt_buf, ver_fmt);
-        const char *fmt = fmt_buf;
+        snprintf_P(version_buf, sizeof(version_buf), ver_fmt, App.get_config_hash());
 #else
-        const char *fmt = ver_fmt;
+        snprintf(version_buf, sizeof(version_buf), ver_fmt, App.get_config_hash());
 #endif
-        device_info[MQTT_DEVICE_SW_VERSION] = str_sprintf(fmt, App.get_config_hash());
+        device_info[MQTT_DEVICE_SW_VERSION] = version_buf;
         device_info[MQTT_DEVICE_MODEL] = ESPHOME_BOARD;
 #if defined(USE_ESP8266) || defined(USE_ESP32)
         device_info[MQTT_DEVICE_MANUFACTURER] = "Espressif";
@@ -246,7 +296,7 @@ bool MQTTComponent::send_discovery_() {
         device_info[MQTT_DEVICE_MANUFACTURER] = "Host";
 #endif
 #endif
-        if (!node_area.empty()) {
+        if (node_area[0] != '\0') {
           device_info[MQTT_DEVICE_SUGGESTED_AREA] = node_area;
         }
 
@@ -288,7 +338,9 @@ void MQTTComponent::set_availability(std::string topic, std::string payload_avai
 }
 void MQTTComponent::disable_availability() { this->set_availability("", "", ""); }
 void MQTTComponent::call_setup() {
-  if (this->is_internal())
+  // Cache is_internal result once during setup - topics don't change after this
+  this->is_internal_ = this->compute_is_internal_();
+  if (this->is_internal_)
     return;
 
   this->setup();
@@ -340,26 +392,28 @@ StringRef MQTTComponent::get_default_object_id_to_(std::span<char, OBJECT_ID_MAX
 }
 StringRef MQTTComponent::get_icon_ref_() const { return this->get_entity()->get_icon_ref(); }
 bool MQTTComponent::is_disabled_by_default_() const { return this->get_entity()->is_disabled_by_default(); }
-bool MQTTComponent::is_internal() {
+bool MQTTComponent::compute_is_internal_() {
   if (this->custom_state_topic_.has_value()) {
-    // If the custom state_topic is null, return true as it is internal and should not publish
+    // If the custom state_topic is empty, return true as it is internal and should not publish
     // else, return false, as it is explicitly set to a topic, so it is not internal and should publish
-    return this->get_state_topic_().empty();
+    // Using is_empty() avoids heap allocation for non-lambda cases
+    return this->custom_state_topic_.is_empty();
   }
 
   if (this->custom_command_topic_.has_value()) {
-    // If the custom command_topic is null, return true as it is internal and should not publish
+    // If the custom command_topic is empty, return true as it is internal and should not publish
     // else, return false, as it is explicitly set to a topic, so it is not internal and should publish
-    return this->get_command_topic_().empty();
+    // Using is_empty() avoids heap allocation for non-lambda cases
+    return this->custom_command_topic_.is_empty();
   }
 
-  // No custom topics have been set
-  if (this->get_default_topic_for_("").empty()) {
-    // If the default topic prefix is null, then the component, by default, is internal and should not publish
+  // No custom topics have been set - check topic_prefix directly to avoid allocation
+  if (global_mqtt_client->get_topic_prefix().empty()) {
+    // If the default topic prefix is empty, then the component, by default, is internal and should not publish
     return true;
   }
 
-  // Use ESPHome's component internal state if topic_prefix is not null with no custom state_topic or command_topic
+  // Use ESPHome's component internal state if topic_prefix is not empty with no custom state_topic or command_topic
   return this->get_entity()->is_internal();
 }
 

esphome/components/mqtt/mqtt_component.h

@@ -20,17 +20,22 @@ struct SendDiscoveryConfig {
   bool command_topic{true};  ///< If the command topic should be included. Default to true.
 };
 
-// Max lengths for stack-based topic building (must match mqtt_component.cpp)
+// Max lengths for stack-based topic building.
+// These limits are enforced at Python config validation time in mqtt/__init__.py
+// using cv.Length() validators for topic_prefix and discovery_prefix.
+// This ensures the stack buffers are always large enough.
 static constexpr size_t MQTT_COMPONENT_TYPE_MAX_LEN = 20;
 static constexpr size_t MQTT_SUFFIX_MAX_LEN = 32;
+static constexpr size_t MQTT_TOPIC_PREFIX_MAX_LEN = 64;  // Validated in Python: cv.Length(max=64)
+// Stack buffer size - safe because all inputs are length-validated at config time
+// Format: prefix + "/" + type + "/" + object_id + "/" + suffix + null
+static constexpr size_t MQTT_DEFAULT_TOPIC_MAX_LEN =
+    MQTT_TOPIC_PREFIX_MAX_LEN + 1 + MQTT_COMPONENT_TYPE_MAX_LEN + 1 + OBJECT_ID_MAX_LEN + 1 + MQTT_SUFFIX_MAX_LEN + 1;
 
-#define LOG_MQTT_COMPONENT(state_topic, command_topic) \
-  if (state_topic) { \
-    ESP_LOGCONFIG(TAG, "  State Topic: '%s'", this->get_state_topic_().c_str()); \
-  } \
-  if (command_topic) { \
-    ESP_LOGCONFIG(TAG, "  Command Topic: '%s'", this->get_command_topic_().c_str()); \
-  }
+class MQTTComponent;  // Forward declaration
+void log_mqtt_component(const char *tag, MQTTComponent *obj, bool state_topic, bool command_topic);
+
+#define LOG_MQTT_COMPONENT(state_topic, command_topic) log_mqtt_component(TAG, this, state_topic, command_topic)
 
 // Macro to define component_type() with compile-time length verification
 // Usage: MQTT_COMPONENT_TYPE(MQTTSensorComponent, "sensor")
@@ -74,6 +79,8 @@ static constexpr size_t MQTT_SUFFIX_MAX_LEN = 32;
  * a clean separation.
  */
 class MQTTComponent : public Component {
+  friend void log_mqtt_component(const char *tag, MQTTComponent *obj, bool state_topic, bool command_topic);
+
  public:
   /// Constructs a MQTTComponent.
   explicit MQTTComponent();
@@ -88,7 +95,8 @@ class MQTTComponent : public Component {
 
   virtual bool send_initial_state() = 0;
 
-  virtual bool is_internal();
+  /// Returns cached is_internal result (computed once during setup).
+  bool is_internal() const { return this->is_internal_; }
 
   /// Set QOS for state messages.
   void set_qos(uint8_t qos);
@@ -179,7 +187,16 @@ class MQTTComponent : public Component {
   /// Helper method to get the discovery topic for this component.
   std::string get_discovery_topic_(const MQTTDiscoveryInfo &discovery_info) const;
 
-  /** Get this components state/command/... topic.
+  /** Get this components state/command/... topic into a buffer.
+   *
+   * @param buf The buffer to write to (must be exactly MQTT_DEFAULT_TOPIC_MAX_LEN).
+   * @param suffix The suffix/key such as "state" or "command".
+   * @return StringRef pointing to the buffer with the topic.
+   */
+  StringRef get_default_topic_for_to_(std::span<char, MQTT_DEFAULT_TOPIC_MAX_LEN> buf, const char *suffix,
+                                      size_t suffix_len) const;
+
+  /** Get this components state/command/... topic (allocates std::string).
    *
    * @param suffix The suffix/key such as "state" or "command".
    * @return The full topic.
@@ -200,10 +217,20 @@ class MQTTComponent : public Component {
   /// Get whether the underlying Entity is disabled by default
   bool is_disabled_by_default_() const;
 
-  /// Get the MQTT topic that new states will be shared to.
+  /// Get the MQTT state topic into a buffer (no heap allocation for non-lambda custom topics).
+  /// @param buf Buffer of exactly MQTT_DEFAULT_TOPIC_MAX_LEN bytes.
+  /// @return StringRef pointing to the topic in the buffer.
+  StringRef get_state_topic_to_(std::span<char, MQTT_DEFAULT_TOPIC_MAX_LEN> buf) const;
+
+  /// Get the MQTT command topic into a buffer (no heap allocation for non-lambda custom topics).
+  /// @param buf Buffer of exactly MQTT_DEFAULT_TOPIC_MAX_LEN bytes.
+  /// @return StringRef pointing to the topic in the buffer.
+  StringRef get_command_topic_to_(std::span<char, MQTT_DEFAULT_TOPIC_MAX_LEN> buf) const;
+
+  /// Get the MQTT topic that new states will be shared to (allocates std::string).
   std::string get_state_topic_() const;
 
-  /// Get the MQTT topic for listening to commands.
+  /// Get the MQTT topic for listening to commands (allocates std::string).
   std::string get_command_topic_() const;
 
   bool is_connected_() const;
@@ -221,12 +248,18 @@ class MQTTComponent : public Component {
 
   std::unique_ptr<Availability> availability_;
 
-  bool command_retain_{false};
-  bool retain_{true};
-  uint8_t qos_{0};
-  uint8_t subscribe_qos_{0};
-  bool discovery_enabled_{true};
-  bool resend_state_{false};
+  // Packed bitfields - QoS values are 0-2, bools are flags
+  uint8_t qos_ : 2 {0};
+  uint8_t subscribe_qos_ : 2 {0};
+  bool command_retain_ : 1 {false};
+  bool retain_ : 1 {true};
+  bool discovery_enabled_ : 1 {true};
+  bool resend_state_ : 1 {false};
+  bool is_internal_ : 1 {false};  ///< Cached result of compute_is_internal_(), set during setup
+
+  /// Compute is_internal status based on topics and entity state.
+  /// Called once during setup to cache the result.
+  bool compute_is_internal_();
 };
 
 }  // namespace esphome::mqtt

esphome/components/mqtt/mqtt_cover.cpp

@@ -51,7 +51,7 @@ void MQTTCoverComponent::dump_config() {
   ESP_LOGCONFIG(TAG, "MQTT cover '%s':", this->cover_->get_name().c_str());
   auto traits = this->cover_->get_traits();
   bool has_command_topic = traits.get_supports_position() || !traits.get_supports_tilt();
-  LOG_MQTT_COMPONENT(true, has_command_topic)
+  LOG_MQTT_COMPONENT(true, has_command_topic);
   if (traits.get_supports_position()) {
     ESP_LOGCONFIG(TAG,
                   "  Position State Topic: '%s'\n"

esphome/components/mqtt/mqtt_date.cpp

@@ -36,7 +36,7 @@ void MQTTDateComponent::setup() {
 
 void MQTTDateComponent::dump_config() {
   ESP_LOGCONFIG(TAG, "MQTT Date '%s':", this->date_->get_name().c_str());
-  LOG_MQTT_COMPONENT(true, true)
+  LOG_MQTT_COMPONENT(true, true);
 }
 
 MQTT_COMPONENT_TYPE(MQTTDateComponent, "date")

esphome/components/mqtt/mqtt_datetime.cpp

@@ -47,7 +47,7 @@ void MQTTDateTimeComponent::setup() {
 
 void MQTTDateTimeComponent::dump_config() {
   ESP_LOGCONFIG(TAG, "MQTT DateTime '%s':", this->datetime_->get_name().c_str());
-  LOG_MQTT_COMPONENT(true, true)
+  LOG_MQTT_COMPONENT(true, true);
 }
 
 MQTT_COMPONENT_TYPE(MQTTDateTimeComponent, "datetime")

esphome/components/mqtt/mqtt_fan.cpp

@@ -175,7 +175,7 @@ bool MQTTFanComponent::publish_state() {
   auto traits = this->state_->get_traits();
   if (traits.supports_speed()) {
     char buf[12];
-    int len = snprintf(buf, sizeof(buf), "%d", this->state_->speed);
+    size_t len = buf_append_printf(buf, sizeof(buf), 0, "%d", this->state_->speed);
     bool success = this->publish(this->get_speed_level_state_topic(), buf, len);
     failed = failed || !success;
   }

esphome/components/mqtt/mqtt_light.cpp

@@ -90,7 +90,7 @@ void MQTTJSONLightComponent::send_discovery(JsonObject root, mqtt::SendDiscovery
 bool MQTTJSONLightComponent::send_initial_state() { return this->publish_state_(); }
 void MQTTJSONLightComponent::dump_config() {
   ESP_LOGCONFIG(TAG, "MQTT Light '%s':", this->state_->get_name().c_str());
-  LOG_MQTT_COMPONENT(true, true)
+  LOG_MQTT_COMPONENT(true, true);
 }
 
 }  // namespace esphome::mqtt

esphome/components/mqtt/mqtt_number.cpp

@@ -30,7 +30,7 @@ void MQTTNumberComponent::setup() {
 
 void MQTTNumberComponent::dump_config() {
   ESP_LOGCONFIG(TAG, "MQTT Number '%s':", this->number_->get_name().c_str());
-  LOG_MQTT_COMPONENT(true, false)
+  LOG_MQTT_COMPONENT(true, false);
 }
 
 MQTT_COMPONENT_TYPE(MQTTNumberComponent, "number")
@@ -75,7 +75,7 @@ bool MQTTNumberComponent::send_initial_state() {
 }
 bool MQTTNumberComponent::publish_state(float value) {
   char buffer[64];
-  snprintf(buffer, sizeof(buffer), "%f", value);
+  buf_append_printf(buffer, sizeof(buffer), 0, "%f", value);
   return this->publish(this->get_state_topic_(), buffer);
 }
 

esphome/components/mqtt/mqtt_select.cpp

@@ -25,7 +25,7 @@ void MQTTSelectComponent::setup() {
 
 void MQTTSelectComponent::dump_config() {
   ESP_LOGCONFIG(TAG, "MQTT Select '%s':", this->select_->get_name().c_str());
-  LOG_MQTT_COMPONENT(true, false)
+  LOG_MQTT_COMPONENT(true, false);
 }
 
 MQTT_COMPONENT_TYPE(MQTTSelectComponent, "select")

esphome/components/mqtt/mqtt_sensor.cpp

@@ -28,7 +28,7 @@ void MQTTSensorComponent::dump_config() {
   if (this->get_expire_after() > 0) {
     ESP_LOGCONFIG(TAG, "  Expire After: %" PRIu32 "s", this->get_expire_after() / 1000);
   }
-  LOG_MQTT_COMPONENT(true, false)
+  LOG_MQTT_COMPONENT(true, false);
 }
 
 MQTT_COMPONENT_TYPE(MQTTSensorComponent, "sensor")

esphome/components/mqtt/mqtt_text.cpp

@@ -26,7 +26,7 @@ void MQTTTextComponent::setup() {
 
 void MQTTTextComponent::dump_config() {
   ESP_LOGCONFIG(TAG, "MQTT text '%s':", this->text_->get_name().c_str());
-  LOG_MQTT_COMPONENT(true, true)
+  LOG_MQTT_COMPONENT(true, true);
 }
 
 MQTT_COMPONENT_TYPE(MQTTTextComponent, "text")

esphome/components/mqtt/mqtt_time.cpp

@@ -36,7 +36,7 @@ void MQTTTimeComponent::setup() {
 
 void MQTTTimeComponent::dump_config() {
   ESP_LOGCONFIG(TAG, "MQTT Time '%s':", this->time_->get_name().c_str());
-  LOG_MQTT_COMPONENT(true, true)
+  LOG_MQTT_COMPONENT(true, true);
 }
 
 MQTT_COMPONENT_TYPE(MQTTTimeComponent, "time")

esphome/components/mqtt/mqtt_valve.cpp

@@ -39,7 +39,7 @@ void MQTTValveComponent::dump_config() {
   ESP_LOGCONFIG(TAG, "MQTT valve '%s':", this->valve_->get_name().c_str());
   auto traits = this->valve_->get_traits();
   bool has_command_topic = traits.get_supports_position();
-  LOG_MQTT_COMPONENT(true, has_command_topic)
+  LOG_MQTT_COMPONENT(true, has_command_topic);
   if (traits.get_supports_position()) {
     ESP_LOGCONFIG(TAG,
                   "  Position State Topic: '%s'\n"

esphome/core/automation.h

@@ -4,6 +4,7 @@
 #include "esphome/core/defines.h"
 #include "esphome/core/helpers.h"
 #include "esphome/core/preferences.h"
+#include "esphome/core/string_ref.h"
 #include <concepts>
 #include <functional>
 #include <utility>
@@ -190,15 +191,55 @@ template<typename T, typename... X> class TemplatableValue {
   /// Get the static string pointer (only valid if is_static_string() returns true)
   const char *get_static_string() const { return this->static_str_; }
 
- protected:
-  enum : uint8_t {
-    NONE,
-    VALUE,
-    LAMBDA,
-    STATELESS_LAMBDA,
-    STATIC_STRING,  // For const char* when T is std::string - avoids heap allocation
-  } type_;
+  /// Check if the string value is empty without allocating (for std::string specialization).
+  /// For NONE, returns true. For STATIC_STRING/VALUE, checks without allocation.
+  /// For LAMBDA/STATELESS_LAMBDA, must call value() which may allocate.
+  bool is_empty() const requires std::same_as<T, std::string> {
+    switch (this->type_) {
+      case NONE:
+        return true;
+      case STATIC_STRING:
+        return this->static_str_ == nullptr || this->static_str_[0] == '\0';
+      case VALUE:
+        return this->value_->empty();
+      default:  // LAMBDA/STATELESS_LAMBDA - must call value()
+        return this->value().empty();
+    }
+  }
 
+  /// Get a StringRef to the string value without heap allocation when possible.
+  /// For STATIC_STRING/VALUE, returns reference to existing data (no allocation).
+  /// For LAMBDA/STATELESS_LAMBDA, calls value(), copies to provided buffer, returns ref to buffer.
+  /// @param lambda_buf Buffer used only for lambda case (must remain valid while StringRef is used).
+  /// @param lambda_buf_size Size of the buffer.
+  /// @return StringRef pointing to the string data.
+  StringRef ref_or_copy_to(char *lambda_buf, size_t lambda_buf_size) const requires std::same_as<T, std::string> {
+    switch (this->type_) {
+      case NONE:
+        return StringRef();
+      case STATIC_STRING:
+        if (this->static_str_ == nullptr)
+          return StringRef();
+        return StringRef(this->static_str_, strlen(this->static_str_));
+      case VALUE:
+        return StringRef(this->value_->data(), this->value_->size());
+      default: {  // LAMBDA/STATELESS_LAMBDA - must call value() and copy
+        std::string result = this->value();
+        size_t copy_len = std::min(result.size(), lambda_buf_size - 1);
+        memcpy(lambda_buf, result.data(), copy_len);
+        lambda_buf[copy_len] = '\0';
+        return StringRef(lambda_buf, copy_len);
+      }
+    }
+  }
+
+ protected : enum : uint8_t {
+   NONE,
+   VALUE,
+   LAMBDA,
+   STATELESS_LAMBDA,
+   STATIC_STRING,  // For const char* when T is std::string - avoids heap allocation
+ } type_;
   // For std::string, use heap pointer to minimize union size (4 bytes vs 12+).
   // For other types, store value inline as before.
   using ValueStorage = std::conditional_t<USE_HEAP_STORAGE, T *, T>;

esphome/core/helpers.h

@@ -655,9 +655,11 @@ inline uint32_t fnv1_hash_object_id(const char *str, size_t len) {
 }
 
 /// snprintf-like function returning std::string of maximum length \p len (excluding null terminator).
+/// @warning Allocates heap memory. Use snprintf() with a stack buffer instead.
 std::string __attribute__((format(printf, 1, 3))) str_snprintf(const char *fmt, size_t len, ...);
 
 /// sprintf-like function returning std::string.
+/// @warning Allocates heap memory. Use snprintf() with a stack buffer instead.
 std::string __attribute__((format(printf, 1, 2))) str_sprintf(const char *fmt, ...);
 
 #ifdef USE_ESP8266

script/ci-custom.py

@@ -692,6 +692,8 @@ HEAP_ALLOCATING_HELPERS = {
     "str_truncate": "removal (function is unused)",
     "str_upper_case": "removal (function is unused)",
     "str_snake_case": "removal (function is unused)",
+    "str_sprintf": "snprintf() with a stack buffer",
+    "str_snprintf": "snprintf() with a stack buffer",
 }
 
 
@@ -710,7 +712,9 @@ HEAP_ALLOCATING_HELPERS = {
     r"str_sanitize(?!_)|"
     r"str_truncate|"
     r"str_upper_case|"
-    r"str_snake_case"
+    r"str_snake_case|"
+    r"str_sprintf|"
+    r"str_snprintf"
     r")\s*\(" + CPP_RE_EOL,
     include=cpp_include,
     exclude=[