mirror of
https://github.com/ruvnet/RuView
synced 2026-06-09 10:13:17 +00:00
eb996294fb14b336a716f8dc961acb8de73a91c7
670 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
 ruv
|
eb996294fb |
feat(adr-118/p1.3): Sink marker traits + PrivacyClass::try_from (17/17 GREEN)
Iter 3. Lands the structural enforcement of ADR-118 invariant I1
("raw BFI never exits the node") and ADR-120 §2.2 ("Sink marker types").
Added:
- src/sink.rs:
* Sink trait with MIN_CLASS and KIND associated constants
* LocalSink (Raw OK), NetworkSink (Derived+ only), MatterSink (Anonymous+)
* Hierarchy: MatterSink: NetworkSink (every Matter sink is a NetworkSink)
* check_class<S>(class) runtime gate, returns PrivacyViolation{reason:KIND}
* Zero-sized kind tags: LocalKind / NetworkKind / MatterKind
- PrivacyClass::as_u8() const helper
- TryFrom<u8> for PrivacyClass (0..=3 valid; 4..=255 → InvalidPrivacyClass)
- BfldError::InvalidPrivacyClass(u8) variant
tests/sink_enforcement.rs adds 8 tests:
privacy_class_try_from_accepts_all_four_valid_bytes
privacy_class_try_from_rejects_out_of_range_bytes
privacy_class_byte_roundtrip_is_stable
local_sink_accepts_all_classes
network_sink_rejects_raw_frames
network_sink_accepts_derived_anonymous_restricted
matter_sink_rejects_raw_and_derived
matter_sink_accepts_anonymous_and_restricted
Out of scope (next iter):
- BfldFrame (header + payload + section length-prefixes + CRC32 over payload)
— needs the `crc` crate dependency.
- PrivacyGate::demote(frame, target_class) transformer (ADR-120 §2.4).
- compile-fail test that proves a sink-trait bound rejects Raw at compile
time — needs `trybuild` integration; deferred to a separate iter.
cargo test -p wifi-densepose-bfld --no-default-features → 17 passed, 0 failed
(3 frame_header_size + 6 header_roundtrip + 8 sink_enforcement)
Co-Authored-By: claude-flow <ruv@ruv.net>
v1260
v1261
v1259
|
||
|
ruv
|
be4dad6ede |
feat(adr-118/p1.2): header encode/decode + 6 round-trip tests (9/9 GREEN)
Iter 2 of the BFLD rollout. Adds the canonical little-endian wire form for
BfldFrameHeader with safe (no unsafe) encoders/decoders. Covers ADR-119 AC5
(round-trip preservation), AC6 (deterministic serialization), and partial
AC1 (constant wire size) / AC4 (rejects bad magic + bad version).
Added:
- BfldFrameHeader::empty() — convenience constructor with magic/version set
- BfldFrameHeader::to_le_bytes() -> [u8; 86]
- BfldFrameHeader::from_le_bytes(&[u8; 86]) -> Result<Self, BfldError>
- Field-level doc strings on every header field (clears all 21 missing-docs
warnings the iter 1 commit logged)
- tests/header_roundtrip.rs — 6 named tests:
header_roundtrip_preserves_all_fields
header_serialization_is_deterministic
header_magic_is_at_offset_zero_little_endian (LE byte order proof)
parsing_rejects_invalid_magic
parsing_rejects_unsupported_version
wire_size_is_constant
Implementation notes:
- Used #[derive(Default)] on BfldFrameHeader so empty() can build cleanly.
- to_le_bytes copies packed fields into locals first to dodge unaligned-
borrow lints; from_le_bytes uses try_into() on byte slices.
- All field reads/writes are #[forbid(unsafe_code)] compliant.
Out of scope (next iter targets):
- BfldFrame (header + payload sections + section-length prefixes + CRC32
computation over payload bytes only) — needs the `crc` crate dependency.
- PrivacyGate::demote(...) skeleton (ADR-120 §2.4).
- SinkMarker traits (LocalSink / NetworkSink / MatterSink) — ADR-120 §2.2.
cargo test -p wifi-densepose-bfld --no-default-features → 9 passed, 0 failed
Co-Authored-By: claude-flow <ruv@ruv.net>
|
||
|
ruv
|
c965e3e6c0 |
feat(adr-118/p1): scaffold wifi-densepose-bfld crate + frame header (3/3 tests GREEN)
Land P1 of the BFLD rollout — the wire-format primitives: - New workspace member: v2/crates/wifi-densepose-bfld - PrivacyClass enum (Raw/Derived/Anonymous/Restricted) with allows_network() and allows_matter() const helpers reflecting ADR-120 §2.2 and ADR-122 §2.4 - BfldFrameHeader (#[repr(C, packed)]) per ADR-119 §2.1 - BFLD_MAGIC = 0xBF1D_0001, BFLD_VERSION = 1 - BfldError variants for InvalidMagic / UnsupportedVersion / Crc / PrivacyViolation - soul-signature cargo feature (gated, default OFF) per ADR-118 §1.4 - Compile-time size assertion via static_assertions::const_assert_eq! - 3 acceptance tests in tests/frame_header_size.rs (all pass) Bug fix: - ADR-119 AC1 claimed BfldFrameHeader is 40 bytes. Actual packed layout sums to 86 bytes. Updated AC1 and §2.1 prose to match. const_assert in frame.rs pins the value structurally — a future field addition that breaks the size fails to compile. Out of scope for this iter (deferred to later P1 commits): - Field-level missing-docs warnings (21) — addressed alongside accessor helpers - Payload section parsing — needs the section-length prefix tests - Round-trip serialize/parse — covered by a fixture-based test in the next iter cargo test -p wifi-densepose-bfld --no-default-features → 3 passed, 0 failed Co-Authored-By: claude-flow <ruv@ruv.net> |
||
|
ruv
|
833ac84059 |
docs(adr-117): point README + user-guide at the live PyPI releases
Both packages are now live on PyPI; bring the in-repo docs up to match. Keep both updates brief — the canonical surface documentation lives on the PyPI project pages themselves. Root README (Option 4 block): - Switch the default `pip install` example to `ruview` (the brand name) and note `wifi-densepose` is equivalent. - Add live PyPI version badges for both packages. docs/user-guide.md (§Python wheel): - Replace the single-install example with a table showing both PyPI projects and their import names so users see the choice immediately. - Add three short usage snippets (vitals, live sensing-server WS, HA-MIND semantic-primitive MQTT listener) so the guide doubles as a "what does this thing do?" reference for someone landing via pip. - Note the cibuildwheel matrix for multi-arch wheels. - Add the `pytest tests/` + `pytest bench/` source-build verify steps. No code or test changes. Refs: docs/adr/ADR-117-pip-wifi-densepose-modernization.md Refs: #786 Co-Authored-By: claude-flow <ruv@ruv.net>v1258 |
||
|
rUv
|
0bffe27288 |
feat(adr-117): pip wifi-densepose modernization (PIP-PHOENIX) + ruview sibling release (#786)
* docs(adr-117): seed branch — ADR-117 pip-modernization spec + soul-signature research bundle
Two artifacts landing together on this new branch as the prerequisite
documentation for the v2.0.0 Python wheel modernization work:
1. **docs/adr/ADR-117-pip-wifi-densepose-modernization.md** (644 lines)
— Plan to bring the 2025-published `wifi-densepose` PyPI package
(last release v1.1.0, 2025-06-07, 11.5 months out of sync) up to
the current Rust v2/ workspace SOTA. Recommends PyO3 + maturin
with abi3-py310 (one binary covers Python 3.10–3.13 per OS/arch),
first-wheel scope = core + vitals + signal crates (~5 MB), v1.99.0
tombstone + 90-day un-yank window for v1.1.0, v2.0.0 hard break.
Open questions catalogued; phases P1–P6+ laid out with concrete
acceptance criteria.
2. **docs/research/soul/** (5 files, ~1,450 lines) — Soul Signature
research spec: 7-channel electromagnetic biometric fingerprint
(AETHER 128-dim + cardiac HR/HRV + cardiac waveform morphology +
respiratory pattern + gait timing + skeletal proportions +
subcarrier reflection profile), fused into one RVF graph file.
Includes 60s scanning protocol, 5-layer security model,
threat-model + mitigations, references to existing ADRs (014,
021, 024, 027, 030, 039, 079, 106, 108, 109, 110, 115). Marked
"Research Specification (Pre-Implementation)". Explicit "what
this is NOT" disclaimers preempt pseudoscience drift; every
discriminative-power claim either cites a measurement or is
marked "open research; baseline TBD".
Branch off main at HEAD; ready for /loop 10m implementation
iterations.
Co-Authored-By: claude-flow <ruv@ruv.net>
* feat(adr-117/p1): scaffold python/ workspace — PyO3 + maturin + smoke tests (refs #785)
ADR-117 P1 — the python/ directory is now a working maturin-buildable
crate that produces the v2.x replacement for the legacy pure-Python
wifi-densepose==1.1.0 PyPI wheel.
## What lands
- `python/Cargo.toml` — PyO3 0.22 with `extension-module` + `abi3-py310`
(one binary covers Python 3.10–3.13 per OS/arch — keeps the
cibuildwheel matrix to 5 wheels per release, not 20). Depends on
`wifi-densepose-core` from the existing v2/ workspace via relative
path.
- `python/pyproject.toml` — maturin>=1.7 build backend with
`python-source = "python"` and `module-name = "wifi_densepose._native"`
so the compiled module loads as an internal underscore-private
submodule of the user-facing `wifi_densepose` package. PEP 621
metadata + classifiers + project URLs. Optional-deps:
`wifi-densepose[client]` for the P4 WS/MQTT pure-Python layer,
`wifi-densepose[dev]` for the test toolchain (pytest, ruff, mypy).
- `python/src/lib.rs` — minimal `#[pymodule] wifi_densepose_native`
exporting `__rust_version__`, `__rust_build_tag__`,
`__build_features__`, and a `hello()` smoke function. P2 will land
the core type bindings here.
- `python/wifi_densepose/__init__.py` — pure-Python facade re-exporting
the compiled module's symbols under their stable user-facing names.
Docstring teaches the v1→v2 migration story up-front.
- `python/wifi_densepose/py.typed` — PEP 561 marker so `mypy --strict`
in user code treats the wheel as fully typed (real stubs land in P2).
- `python/tests/test_smoke.py` — 6 P1 acceptance tests:
1. package imports without error
2. version string is PEP 440-compliant
3. `__rust_version__` is reachable from Python (the diagnostic
surface ADR-117 §5.2 promised)
4. `__build_features__` lists `p1-scaffold` marker
5. `wifi_densepose.hello()` returns "ok" (FFI round-trip)
6. `wifi_densepose._native` is reachable but the leading underscore
conveys "private; users should import the parent package"
- `python/README.md` — phase ledger, local build instructions
(`maturin develop`), layout diagram.
## What's deferred to P2+
- Core type bindings (`CsiFrame`, `Keypoint`, `PoseEstimate`) — P2
- Vitals + signal DSP bindings + witness v2 — P3
- Pure-Python WS/MQTT client layer (`wifi_densepose[client]`) — P4
- cibuildwheel + PyPI publish — P5
- v1.99.0 tombstone — concurrent with P5
The new `python/` crate is intentionally OUTSIDE the v2/ Cargo
workspace — it has its own Cargo.toml with `[package]` not
`[workspace.package]` inheritance — to keep maturin's `python-source`
+ `module-name` config self-contained and to avoid forcing every
`cargo test --workspace` invocation in v2/ to compile pyo3.
Refs ADR-117 §5 (Detailed design) and §6 (Phased migration).
Refs #785 (tracking issue).
Co-Authored-By: claude-flow <ruv@ruv.net>
* fix(adr-117/p1): standalone Cargo.toml + python-source=. + #[pyo3(name=_native)] (P1 GREEN)
Three fixes to make maturin develop actually work locally:
1. `python/Cargo.toml` removed `*.workspace = true` inheritance —
the python/ crate is intentionally outside the v2/ workspace
(ADR-117 §5.2) so it needs every `[package]` field local.
2. `python/pyproject.toml` `python-source = "python"` was wrong
because pyproject.toml lives at python/ — maturin was looking for
python/python/. Changed to `python-source = "."` so the
`wifi_densepose/` package directory sibling-to-pyproject is found.
3. `python/src/lib.rs` `#[pymodule] fn wifi_densepose_native` →
`#[pymodule] #[pyo3(name = "_native")] fn wifi_densepose_native`.
PyO3 generates `PyInit__native` from the pyo3-name attribute, which
must match the `module-name` in pyproject.toml's [tool.maturin]
block ("wifi_densepose._native"). Without this attribute the wheel
builds but `import wifi_densepose._native` fails with
ModuleNotFoundError.
## Local validation (P1 acceptance gate)
```
$ python -m venv .venv && .venv/Scripts/python -m pip install maturin pytest
$ VIRTUAL_ENV=… maturin develop --release
…
Finished `release` profile [optimized] target(s)
📦 Built wheel for abi3 Python ≥ 3.10
🛠 Installed wifi-densepose-2.0.0a1
$ .venv/Scripts/python -c 'import wifi_densepose; print(wifi_densepose.__version__, wifi_densepose.__rust_version__, wifi_densepose.hello())'
2.0.0a1 2.0.0-alpha.1 ok
$ .venv/Scripts/python -m pytest tests/ -v
tests/test_smoke.py::test_package_imports PASSED
tests/test_smoke.py::test_version_string_well_formed PASSED
tests/test_smoke.py::test_rust_version_surfaced PASSED
tests/test_smoke.py::test_build_features_listed PASSED
tests/test_smoke.py::test_hello_returns_ok PASSED
tests/test_smoke.py::test_native_module_private PASSED
======================== 6 passed in 0.05s =========================
```
P1 closed. Moving to P2 (core type bindings).
Refs #785, ADR-117 §6.
Co-Authored-By: claude-flow <ruv@ruv.net>
* feat(adr-117/p2): Keypoint + KeypointType bindings — 23 new tests (29/29 GREEN)
Lands the first chunk of P2: PyO3 bindings for `Keypoint` and
`KeypointType` from `wifi_densepose_core`. Bound types surface to
Python as `wifi_densepose.Keypoint` / `wifi_densepose.KeypointType`.
## Design choices that affect the API surface
1. **`Confidence` is NOT bound as a separate class.** Users hate
wrapping a float in a constructor. Python-side, confidence is just
a `float in [0.0, 1.0]`; the binding validates on construction
(`ValueError` for out-of-range, matching the Rust core error).
2. **`KeypointType` is a `#[pyclass(eq, eq_int, hash, frozen)]` enum**
— hashable so users can drop it into dicts/sets (the most common
pattern in pose-analysis notebooks: `keypoints_by_type[k.type] = k`).
3. **`Keypoint.__init__` keyword-only `z`** so 2D users don't have to
write `None` and 3D users get a clear named arg:
`Keypoint(KeypointType.LeftWrist, 0.2, 0.4, 0.8, z=0.1)`.
4. **`Keypoint` is `#[pyclass(frozen)]`** — no in-place mutation. The
Rust core type is immutable through Copy + Hash + Eq, and exposing
setters from Python would create a copy-vs-reference inconsistency
between languages.
## Files
- `python/src/bindings/keypoint.rs` — 220 lines of `#[pymethods]`
wrappers + Rust↔Python enum round-trip
- `python/src/lib.rs` — `mod bindings { pub mod keypoint; }` +
`bindings::keypoint::register(m)?` call from `#[pymodule]`
- `python/wifi_densepose/__init__.py` — re-exports `Keypoint` and
`KeypointType` at the package root
- `python/tests/test_keypoint.py` — 23 tests covering:
- 17-element COCO ordering of `KeypointType.all()`
- index→type mapping for every variant
- snake_name matches COCO spec
- `is_face()` / `is_upper_body()` predicates
- hashability (the bug I caught when I added the set-based face
test — fixed by adding `hash` to the `#[pyclass]` attribute)
- 2D + 3D constructor variants
- position_2d / position_3d tuples
- is_visible threshold
- confidence validation (Err on out-of-range)
- distance_to (2D Euclidean, 3D Euclidean, fallback when one is 2D
and the other is 3D)
- __repr__ + __eq__
- the new `p2-keypoint-bindings` feature marker landed
## Local validation
\`\`\`
$ cd python && .venv/Scripts/python -m pytest tests/ -v
tests/test_smoke.py::test_package_imports PASSED
tests/test_smoke.py::test_version_string_well_formed PASSED
tests/test_smoke.py::test_rust_version_surfaced PASSED
tests/test_smoke.py::test_build_features_listed PASSED
tests/test_smoke.py::test_hello_returns_ok PASSED
tests/test_smoke.py::test_native_module_private PASSED
tests/test_keypoint.py::test_keypoint_type_all_returns_17 PASSED
…
======================== 29 passed in 0.06s =========================
\`\`\`
Wheel size after both bindings: still well under the 5 MB ADR §5.4
budget (release build with --strip on Windows: ~340 KB).
Also adds `python/.gitignore` to prevent the `.venv/` + `target/` +
`_native.abi3.pyd` artifacts from getting committed.
## What's left in P2
CsiFrame + PoseEstimate bindings land in the next iteration. They're
larger (CsiFrame has the subcarrier buffer; PoseEstimate has
17×Keypoint + BoundingBox + track_id + score). Pattern is now proven
so they go faster.
Refs #785, ADR-117 §6.
Co-Authored-By: claude-flow <ruv@ruv.net>
* feat(adr-117/p2): BoundingBox + PersonPose + PoseEstimate — P2 COMPLETE (57/57 tests GREEN)
Lands the second + third chunks of P2: PyO3 bindings for `BoundingBox`,
`PersonPose`, `PoseEstimate` from `wifi_densepose_core`. Combined with
the prior Keypoint + KeypointType bindings (
v1256
|
||
|
ruv
|
753f0a23b7 |
docs(adr-118): integrate Soul Signature into BFLD ADRs 118/120/121/122
Wire the Soul Signature research (docs/research/soul/) into BFLD as a consent-based opt-in that runs at privacy_class = 1 (derived). BFLD becomes the policy-enforcement and compliance layer for Soul Signature; the two share the AETHER encoder, the witness chain, the RVF container, and cross_room.rs. ADR-118 §1.4 (new): comparison table of intents, consent models, ID spaces, and shared assets. Explains why the two systems are complementary, not antagonistic. ADR-120 §2.7 (new): dual-ID-space contract. - Default BFLD: class 2, daily-rotated rf_signature_hash for all. - Soul Signature opt-in: class 1, rotating hash for unenrolled + stable opaque person_id for enrolled. No collision. - Class 3 (restricted): Soul Signature disabled. Static enforcement via --features soul-signature feature gate. ADR-121 §2.6 (new): Soul Signature Recalibrate exemption + enrollment- quality gate. - SoulMatchOracle suppresses Recalibrate when high score traces to an enrolled person_id (matched outcome is intended, not an attack). - identity_risk_score doubles as enrollment-quality signal: Soul Signature enrollment requires score >= 0.65 sustained over the 60s window. - Exemption is asymmetric: unknown high-separability clusters still trigger Recalibrate. ADR-122 §2.7 (new): three Soul Signature HA entities exposed at class 1 only, structurally rejected at the Matter boundary. Fourth blueprint (enrolled-person arrival notification) ships under feature flag, default off, per-person opt-in. Co-Authored-By: claude-flow <ruv@ruv.net>v1251 |
||
|
ruv
|
2365f0c31b | Merge feat/adr-118-bfld into main: BFLD layer (6 ADRs + research bundle) v1.99.0-pip v1248 | ||
|
ruv
|
29233db6d5 |
docs(adr-118): BFLD — Beamforming Feedback Layer for Detection (6 ADRs + research bundle)
Introduce the Beamforming Feedback Layer for Detection: the RuView safety layer
that ingests WiFi BFI, measures identity-leakage risk, and structurally prevents
identity-correlated data from leaving the node by default.
ADRs (6):
- ADR-118: umbrella decision, crate scaffolding, 6-phase rollout (~10.5 wk)
- ADR-119: BfldFrame wire format, magic 0xBF1D_0001, deterministic serialization
- ADR-120: 4 privacy classes, BLAKE3 keyed-hash rotation, #[must_classify] default-deny
- ADR-121: 9-feature identity-risk scoring, coherence gate with hysteresis
- ADR-122: 6 HA entities, 3 Matter clusters, mosquitto ACL, cognitum-v0 federation
- ADR-123: Pi 5 / Nexmon production capture, AX210 dev path, ESP32-S3 self-only fallback
Research bundle (docs/research/BFLD/, 13,544 words):
- SOTA survey covering BFId (KIT, ACM CCS 2025) and LeakyBeam (NDSS 2025)
- Architectural soul: defensive sensing primitive, not surveillance lens
- Six-adversary threat model with attack trees and mitigations
- Privacy-gating mechanics with structural cross-site isolation proof
- Automation/integration surface (HA, Matter, MQTT, federation)
- Concrete implementation plan with reuse map
- Evaluation strategy with red-team protocol on KIT BFId dataset
- Draft ADR, GitHub issue, and public gist
Three structural invariants enforced by the type system, not policy:
I1 — Raw BFI never exits the node
I2 — Identity embedding is in-RAM-only (no Serialize impl)
I3 — Cross-site identity correlation is cryptographically impossible
(per-site BLAKE3 keyed-hash with daily epoch rotation)
References:
https://publikationen.bibliothek.kit.edu/1000185756 (BFId)
https://www.ndss-symposium.org/wp-content/uploads/2025-5-paper.pdf (LeakyBeam)
Co-Authored-By: claude-flow <ruv@ruv.net>
|
||
|
ruv
|
be4efecbcd |
cog-ha-matter (ADR-116 P8): app-registry entry stub + release checklist
Two closing P8 deliverables that complete the local-side publishing
scaffolding. The remaining work is all credential-bearing user
action.
1. `cog/app-registry-entry.json` — the exact JSON payload to paste
into cognitum-one's `app-registry.json`. Schema discovered by
fetching the live registry (105 cogs, 11 categories) and
matching the existing `ruview-densepose` entry verbatim. Keys:
id, name, category, version, size_kb, difficulty, description,
featured, config[], sha256, binary_size
cog-ha-matter slots in under `category: "building"` (smart home
/ building automation — the natural HA / Matter category, vs
`network` which is more about transport bridges).
7 config[] entries mirror our CLI surface:
sensing_url, mqtt_host, mqtt_port, privacy_mode,
mdns_hostname, mdns_ipv4, no_mdns
Two post-build fields left as `<FILL_IN_...>` markers:
sha256 (paste from the workflow artifact's .sha256)
binary_size (wc -c < the binary)
Schema validated: all 10 required keys present, parses as JSON.
2. `cog/RELEASE-CHECKLIST.md` — one-page mechanical playbook with
four explicit "🔑 USER ACTION" gates. Each gate names exactly
what the user (or org admin) has to do that the pipeline cannot:
a) provision GCP_CREDENTIALS + HAS_GCP_CREDENTIALS org var
b) provision COGNITUM_OWNER_SIGNING_KEY GH secret
c) gcloud auth login (only if uploading locally)
d) PR app-registry.json into cognitum-one
Plus pre-release test gate, tag-push command, post-release
verification curl, and a rollback procedure using GCS object
versioning (per ADR-100 §"GCS misconfiguration risks").
Stop-condition check (cron's predicate: "ALL local-side publishing
scaffolding is complete and the only remaining work requires user
action"):
✅ cog/manifest.template.json
✅ cog/Makefile (build / sign / upload / verify / clean)
✅ cog/README.md
✅ cog/app-registry-entry.json (this commit)
✅ cog/RELEASE-CHECKLIST.md (this commit)
✅ .github/workflows/cog-ha-matter-release.yml (3 jobs, gated)
✅ dist/ handling (gitignored, created by make)
🔑 4 user-action gates explicitly enumerated in the checklist
The cron should STOP after this iter — the local-side scaffolding
is complete and the remaining work is the four named credential
gates that the pipeline cannot self-serve.
Co-Authored-By: claude-flow <ruv@ruv.net>
v1235
v1234
|
||
|
ruv
|
3833929dcb |
cog-ha-matter (ADR-116 P8): CI release workflow + fix inherited filename bug
New `.github/workflows/cog-ha-matter-release.yml`:
* Triggers on `cog-ha-matter-v*` tag-push + manual dispatch
* Three jobs: build-x86_64, build-arm, publish-gcs
* x86_64: native ubuntu-latest cargo build
* arm: aarch64-unknown-linux-gnu via apt-installed gcc-aarch64-linux-gnu
linker (no `cross` dep needed — keeps workflow self-contained)
* Each build job runs make build-{arch} + make sign-{arch} +
gated Ed25519 sign step (skipped when COGNITUM_OWNER_SIGNING_KEY
secret is unset — workflow still produces unsigned artifacts so
we get build coverage now and signing later without re-merging)
* publish-gcs job gated on `vars.HAS_GCP_CREDENTIALS == 'true'`
so the workflow is safe to merge before credentials land —
no-op until the org admin sets the variable
* Uploads binary + sha256 + (optional) sig to
`gs://cognitum-apps/cogs/{arch}/cog-ha-matter-{arch}`
* Prints the app-registry.json snippet for the cognitum-one PR
(so the publish step's output is the exact JSON the user pastes)
Fixed a bug inherited from cog-pose-estimation's Makefile: the
precedent produces `dist/cog-cog-pose-estimation-arm` (double
`cog-` prefix because CRATE name already starts with `cog-`) but
the manifest URL has single prefix `cog-pose-estimation-arm`. The
upload path doesn't match the binary_url — a latent bug in the
pose cog's pipeline.
My copy now produces `dist/cog-ha-matter-arm` matching the
manifest URL `cog-ha-matter-{{ARCH}}`. Changed: Makefile (build /
sign / upload / verify / clean targets), workflow (artifact names
+ gsutil paths), README (local dry-run instructions). The
cog-pose-estimation precedent is unchanged — separate fix if/when
the user wants to align it.
What this iter does NOT do (P8 remaining):
* provision GCP_CREDENTIALS / COGNITUM_OWNER_SIGNING_KEY secrets
(user action — needs org admin access)
* actually run the workflow (needs a `cog-ha-matter-v0.1.0` tag
push, or workflow_dispatch from the Actions tab)
* append to app-registry.json in cognitum-one (separate repo PR)
Next iter: tag a v0.0.1-dev (so the workflow runs once + we see
any build-time errors on real CI runners) OR scaffold the
app-registry.json patch payload as a check-in doc.
Co-Authored-By: claude-flow <ruv@ruv.net>
|
||
|
ruv
|
1e469aa336 |
cog-ha-matter (ADR-116 P8): scaffold cog/ publishing layout
Mirrors v2/crates/cog-pose-estimation/cog/ so the Seed runtime
treats cog-ha-matter identically — `cognitum cog install ha-matter`
behaves like `cognitum cog install pose-estimation`.
Files:
* cog/manifest.template.json — 9-field manifest with {{VERSION}}
+ {{ARCH}} slots, hand-edited by the Makefile signer
* cog/Makefile — same target set as cog-pose-estimation:
build / build-arm / build-x86_64
sign / sign-arm / sign-x86_64 (Ed25519 step is TODO,
blocked on COGNITUM_OWNER_SIGNING_KEY provisioning —
same blocker as cog-pose-estimation)
upload / upload-arm / upload-x86_64
manifest (delegates to `cargo run -- --print-manifest`)
release (= build + sign + upload + manifest)
verify (sha256sum vs sidecar)
clean
Adds `mkdir -p dist` to build steps so the gitignored dist/
folder is created on first build.
* cog/README.md — what this cog does, layout map, local dry-run
instructions, gcloud auth requirements, the JSON snippet to
paste into app-registry.json (in the separate cognitum-one
repo, not this one)
Local dist/ is intentionally not committed: top-level .gitignore
matches `dist/` globally, the Makefile creates it on demand.
What this commit does NOT do (P8 remaining):
* cross-compile build (needs `rustup target add
aarch64-unknown-linux-gnu x86_64-unknown-linux-gnu` + linker)
* sign the binaries (COGNITUM_OWNER_SIGNING_KEY not provisioned)
* gsutil cp to gs://cognitum-apps/ (needs user's gcloud auth)
* append to app-registry.json (lives in cognitum-one repo —
separate PR there)
Next iter: a CI workflow that runs `make build sign verify` on
tag-push, so the local-side pipeline is fully exercised even
without the production credentials.
Co-Authored-By: claude-flow <ruv@ruv.net>
v1233
|
||
|
ruv
|
d4f0e12073 |
cog-ha-matter (ADR-116): P4 ✅ — mDNS wired into main, broker deferred
Two landings that flip P4 to shipped:
1. main.rs now actually registers the mDNS responder. New CLI:
--mdns-hostname (default: cog-ha-matter.local.)
--mdns-ipv4 (default: 127.0.0.1)
--no-mdns (skip for restrictive CI / multi-instance)
Responder boots after the publisher; failure logs WARN + falls
back to manual HA config instead of killing the cog. The
handle's Drop sends the mDNS goodbye packet on shutdown so HA's
discovery sees a clean service-leave (no stale device card).
2. Embedded rumqttd broker DEFERRED to v0.7 per dossier §8 ranking.
The dossier's prioritised v1 scope is:
1. --privacy-mode audit-only
2. cog manifest + Ed25519 signing + store listing
3. local SONA fine-tuning loop
4. HACS gold-tier integration
5. Matter Bridge (v0.8)
Embedded broker is not in that list. Every HA install already
has mosquitto or HA Core's built-in broker — adding ~2 MB of
binary + ACL config surface for marginal benefit didn't earn a
v1 slot. Documented as row 6 of §4 v1 scope table with explicit
v0.7 target.
P4 row updated to ✅: mDNS half complete (record-builder +
ServiceInfo + live responder + main.rs wiring), witness half
complete (chain + JSONL + file + Ed25519), embedded broker
explicitly deferred with rationale citation to dossier §8.
Stop-condition check:
* dossier has "Recommended scope" section ✅ (§8, folded into
ADR §4)
* P2 (cog scaffold) ✅
* P3 (MQTT publisher wrap) ✅
* P4 (Seed-native enhancements) ✅
Cron's stop predicate evaluates: P2-P4 shipped AND dossier has
the recommended-scope section → STOP. The loop should TaskStop
itself after this iter unless the user wants P5 (RuVector
thresholds), P8 (cog signing), or P9 (HACS repo) to keep going.
64/64 tests green.
Co-Authored-By: claude-flow <ruv@ruv.net>
v1230
v1231
|
||
|
ruv
|
07b792715f |
cog-ha-matter (ADR-116 P4): live mDNS responder + handle
Closes the mDNS half of P4. `runtime::start_mdns_responder` binds
multicast via `mdns_sd::ServiceDaemon::new`, builds the
ServiceInfo from `MdnsService::to_service_info` (iter 9), and
registers — returning a typed handle that owns both daemon and
fullname.
Handle shape:
pub struct MdnsResponderHandle {
daemon: ServiceDaemon,
fullname: String,
}
impl MdnsResponderHandle {
pub fn fullname(&self) -> &str;
pub fn shutdown(self) -> Result<(), mdns_sd::Error>;
}
impl Drop for MdnsResponderHandle { /* best-effort */ }
Why explicit `shutdown` + best-effort `Drop`: a clean shutdown
sends a goodbye packet so HA's discovery integration sees the
service leave (good UX — no stale device card). `Drop` is the
fallback for panics / process termination but swallows errors
since panicking-in-Drop would mask the real failure.
1 new live-I/O test:
* mdns_responder_fullname_concatenates_instance_and_service_type
— actually binds multicast on the loopback adapter, registers,
asserts the fullname contains `_ruview-ha._tcp`, then
shutdown()s. Confirmed working on Windows; CI environments
where multicast bind is filtered will hit the gracefully-
skipping early return rather than failing the suite.
64/64 cog tests green (63 → 64).
ADR-116 P4: mDNS half ✅ (record-builder + ServiceInfo + live
responder), witness half ✅ (chain + JSONL + file + Ed25519).
Last piece is the embedded rumqttd broker so external mosquitto
becomes optional.
Co-Authored-By: claude-flow <ruv@ruv.net>
v1229
|
||
|
ruv
|
34eced880f |
cog-ha-matter (ADR-116 P4): MdnsService -> mdns-sd ServiceInfo bridge
Pure conversion from our wire-format `MdnsService` to the
`mdns_sd::ServiceInfo` shape the responder daemon consumes. No
socket binding, no daemon registration yet — that lands next iter
as a `runtime::spawn_mdns_responder(info)` JoinHandle returning
helper, same shape as `runtime::spawn_publisher`.
* `MdnsService::to_service_info(hostname, ipv4) ->
Result<ServiceInfo, mdns_sd::Error>`
* `mdns-sd = "0.11"` added — aligned with the workspace pin from
wifi-densepose-desktop so the lockfile doesn't fork dalek-like
surfaces.
3 new tests:
* to_service_info_carries_service_type_and_port — locks that
`_ruview-ha._tcp` (with or without mdns-sd's trailing-dot
normalisation) and the control port round-trip through the
conversion
* to_service_info_propagates_txt_records — every locked TXT
key from iter 4 (cog_id, mqtt_port, privacy, proto, node_id,
cog_version) reachable via `get_property_val_str` on the
converted ServiceInfo
* to_service_info_does_not_silently_drop_caller_hostname —
locks the caller-side responsibility for the .local. suffix.
mdns-sd 0.11 accepts bare hostnames (verified empirically by
initial test expecting it to reject — it didn't), so the
wrapper layer must do the trailing-dot dance. Documenting
that via a named test catches future bumps where the lib
starts mutating the value.
63/63 cog tests green (60 → 63).
ADR-116 P4 now ⁶⁄₇: ✅ mDNS record-builder, ✅ chain, ✅ JSONL, ✅
file persistence, ✅ Ed25519 signing, ✅ ServiceInfo conversion;
⏳ daemon register + embedded broker.
Co-Authored-By: claude-flow <ruv@ruv.net>
v1228
|
||
|
ruv
|
bb154d4e78 |
cog-ha-matter (ADR-116 P4): Ed25519 signing layer for witness chain
Closes the cryptographic-attestation gap in ADR-116 §2.2: every
witness event can now be signed by the Seed's Ed25519 key, with
verify available to any auditor holding the public key.
Module shape (`src/witness_signing.rs`, kept separate from
`witness::` so the hash chain stays usable without dalek linked
in — important for the wasm32 audit-verifier variant we'll ship
later):
* sign_event(event, &SigningKey) -> Signature
* verify_signature(event, &Signature, &VerifyingKey)
-> Result<(), SignatureVerifyError>
* signature_to_hex / signature_from_hex (128-char lowercase,
matches the witness hex convention)
* SignatureVerifyError::Invalid
* SignatureParseError::{Length, Hex}
Key design point: signature covers the SAME canonical bytes
witness::hash_event hashes. That means:
1. A signed event commits to the entire event content (kind,
payload, timestamp, seq, prev_hash) — no field can be
retroactively changed without invalidating both the hash AND
the signature.
2. The signature implicitly commits to the event's *chain
position* via prev_hash — splicing a signed event into a
different chain breaks verification.
Adds `ed25519-dalek = "2.1"` to cog-ha-matter (already in
workspace via ruv-neural, version kept aligned).
9 new tests:
* sign_and_verify_round_trip
* verify_rejects_signature_under_wrong_key
* verify_rejects_tampered_event (mutate payload after sign)
* verify_rejects_event_with_wrong_prev_hash (splice attack)
* signature_hex_round_trip
* signature_from_hex_rejects_wrong_length
* signature_from_hex_rejects_non_hex
* signature_is_deterministic_for_same_event_and_key
(locks Ed25519's determinism — catches future accidental
swap to a randomized scheme)
* different_events_produce_different_signatures
60/60 cog tests green (51 → 60). Key management is intentionally
out of scope here — the cog runtime reads the Seed's key from the
Cognitum control plane's secure store (separate concern).
ADR-116 P4 now ⁵⁄₆: ✅ mDNS record, ✅ chain, ✅ JSONL, ✅ file
persistence, ✅ Ed25519 signing; ⏳ responder + embedded broker.
Co-Authored-By: claude-flow <ruv@ruv.net>
v1227
v1225
|
||
|
ruv
|
1f5b7b48c9 |
cog-ha-matter (ADR-116 P4): witness file persistence + chain-level verify
Closes the witness audit-bundle surface. The hash-chain primitive
+ JSONL serializer from earlier iters only handled one event at a
time; this lands the file-stream surface that operations actually
need:
* `WitnessChain::write_jsonl(&mut impl Write) -> io::Result<()>`
— streams every event as one line + `\n`, empty chain writes
zero bytes
* `WitnessChain::read_jsonl(impl BufRead) -> Result<WitnessChain,
WitnessReadError>` — parses event-by-event AND runs chain-level
`verify()` on the loaded chain, catching reordered or replayed
prefixes that per-event hashing alone misses
Critical security property: `read_jsonl` calls `WitnessChain::verify`
on the loaded chain BEFORE returning Ok. A forged bundle assembled
from two valid chains pasted together would slip past the
per-event hash check (each event's `this_hash` is internally
consistent) but the cross-event `prev_hash` linkage detects the
seam. Test `read_jsonl_chain_verify_catches_reordered_events`
locks this — swap two events in a 2-event bundle, see Verify error.
Error surface (new `WitnessReadError` enum):
* `Io { line_no, msg }` — read failure mid-stream
* `Parse { line_no, source }` — per-event from_jsonl_line failure
* `Verify { source }` — chain-level verify failure
`line_no` is 1-indexed so an auditor sees the same number their
text editor shows. Blank lines tolerated for hand-edited bundles.
7 new tests:
* empty chain writes zero bytes
* write→read round-trips a 3-event chain
* exactly N newlines for N events; trailing newline present
* blank lines / leading newline tolerated
* parse error surfaces with correct line_no
* reordered events caught by chain-level verify
* no-trailing-newline still loads the final event
51/51 cog tests green (44 → 51).
Co-Authored-By: claude-flow <ruv@ruv.net>
v1226
|
||
|
ruv
|
a3478ea3b5 |
cog-ha-matter (ADR-116 P4): witness JSONL persistence
Third P4 sub-unit: serialize/parse for the witness hash chain so
audit bundles can be written to disk and replayed.
Wire shape (one record per line, alphabetical field order locked):
{"kind":"...","payload_hex":"...","prev_hash":"...","seq":N,
"this_hash":"...","timestamp_unix_s":N}
Why alphabetical field order: auditors archive whole bundles and
hash them. A rebuild that reordered fields would silently
invalidate every archival hash — locking the order is what makes
the JSONL stable across compiler / serde-json upgrades.
Why hex everywhere: human-greppable, monospace-friendly, no base64
ambiguity, no Vec<u8> JSON-array ugliness. Same convention as
ADR-101's `binary_sha256`.
Critically, `from_jsonl_line` RE-VERIFIES `this_hash` against
the canonical bytes derived from the parsed fields. A tampered
bundle fires `WitnessParseError::HashMismatch` BEFORE the event
loads — the parser is itself an auditor.
New surfaces:
* `WitnessHash::from_hex` (with structured length/parse errors)
* `WitnessEvent::to_jsonl_line`, `from_jsonl_line`
* `WitnessParseError` enum: Json | MissingField | WrongType |
HashLength | HashHex | PayloadHex | PayloadLength | HashMismatch
* private `hex_encode` / `hex_decode` helpers (no `hex` crate dep)
10 new tests:
* jsonl round-trip preserves all fields
* jsonl line has no embedded \n / \r (one record per line)
* jsonl field order is alphabetical (byte-stable archival)
* parser rejects tampered payload via HashMismatch
* parser rejects non-hex characters in hash
* parser rejects missing field
* hex encode/decode round-trip across empty / single byte / 0xff /
UTF-8 / arbitrary bytes
* hex decode rejects odd-length input
* WitnessHash::from_hex round-trip
* WitnessHash::from_hex rejects wrong length
44/44 cog tests green (34 → 44).
ADR-116 P4 row enumerates 4 sub-units now: ✅ mDNS record-builder,
✅ witness chain primitive, ✅ witness JSONL persistence,
⏳ responder + embedded broker + Ed25519 signing.
Co-Authored-By: claude-flow <ruv@ruv.net>
v1223
|
||
|
ruv
|
fe913b0ea7 |
cog-ha-matter (ADR-116 P4): pure witness hash-chain primitive
Second P4 unit: an append-only SHA-256 hash chain for tamper-evident
audit logging. ADR-116 §2.2 promised this for healthcare /
education / shared-housing deployments — this lands the primitive
with no key dependency so the next iter can layer Ed25519 signing
on top without touching the chain itself.
Module shape:
* `WitnessHash([u8; 32])` newtype + `WitnessHash::GENESIS` sentinel
* `WitnessEvent { seq, prev_hash, ts, kind, payload, this_hash }`
— once committed, every field is immutable
* `WitnessChain` — `append`, `tip`, `verify`, `events`
* `canonical_bytes` — length-prefixed serialization that prevents
the classic concatenation forgery
(`abc|def` ≠ `ab|cdef`)
* `WitnessVerifyError` — auditor-friendly error with `at: usize`
on every variant (SeqGap, PrevHashMismatch, HashMismatch)
13 new tests covering both happy path and active tampering:
* genesis hash all-zeros
* empty chain tip is genesis
* canonical bytes length-prefixed (anti-forgery)
* canonical bytes start with prev_hash (wire-format lock)
* append links to prev_hash
* seq monotonic from 0
* verify passes on clean chain
* verify catches tampered payload (fires HashMismatch)
* verify catches broken prev_hash link
* verify catches seq gap
* hash hex is 64 lowercase chars
* first event prev_hash == GENESIS (auditor anchor)
* different payloads → different hashes
Hash-chain over Merkle is the right tradeoff for the cog's event
rate (a few/min steady, dozens during a fall) — linear scan is
fine and we save the Merkle complexity for a future tier when
chains span days.
34/34 cog tests green (21 → 34).
ADR-116 P4 row updated to enumerate the three P4 sub-units shipped /
pending: (a) mDNS record-builder ✅, (b) witness hash-chain ✅, (c)
responder + embedded broker + Ed25519 signing pending.
Co-Authored-By: claude-flow <ruv@ruv.net>
v1224
|
||
|
ruv
|
35722529bf |
cog-ha-matter (ADR-116 P4): pure mDNS service-record builder
Opens P4 with the smallest extractable unit: a pure builder that
produces the wire-format `MdnsService` the responder will publish
next iter. Splitting the record-builder from the responder lets
us:
* lock the TXT-record surface with named unit tests so drift
between the cog and the HA-side YAML auto-discovery binding
fires a test instead of silently breaking deployments,
* swap the responder library (mdns-sd / zeroconf / pnet) without
touching content,
* include the advertisement in `--print-manifest` for Seed
integration tests that can't boot tokio.
TXT surface (sorted, RFC 6763):
| cog_id | "ha-matter" |
| cog_version | CARGO_PKG_VERSION |
| node_id | identity.node_id |
| mqtt_port | u16 stringified |
| privacy | "1" | "0" |
| proto | "ruview-ha/1" |
9 new tests:
* service_type locked to `_ruview-ha._tcp`
* instance_name carries node_id
* control_port advertises the *control plane*, not MQTT
* privacy flag is "1"/"0" (HA config flow reads it byte-stable)
* proto version locked to ruview-ha/1 (bump is deliberate)
* cog_id in TXT matches crate constant
* txt_records sorted for byte-stable mDNS responses
* **PII leak guard**: TXT must NOT carry hr_bpm, br_bpm, pose_*,
keypoint, ssid, lat, lon, mac, rssi — broadcasts in cleartext
so a future "let's add hr_bpm for convenience" patch fires
here, not in a privacy incident.
* required-keys lock — adding is fine, removing/renaming breaks
every deployed Seed.
21/21 cog tests green (12 → 21).
ADR-116 P4 flipped pending → in progress, with the responder /
embedded broker / witness chain enumerated as the remaining P4
sub-units.
Co-Authored-By: claude-flow <ruv@ruv.net>
|
||
|
ruv
|
c9f005c360 |
cog-ha-matter (ADR-116 P3): wire publisher::spawn into main.rs
P3 closes the publisher wiring loop. `main.rs` now:
1. builds `PublisherInputs` from CLI args via the pure helper
extracted last iter,
2. opens a `broadcast::channel::<VitalsSnapshot>(256)`,
3. calls `runtime::spawn_publisher(inputs, rx)` — a thin
wrapper around ADR-115's `publisher::spawn` that owns the
`Arc<MqttConfig>` wrap,
4. holds the tx side so the channel stays open until P3.5
wires the sensing-server bridge,
5. awaits Ctrl-C or unexpected publisher exit (logged at WARN).
Two new tests:
* `spawn_publisher_returns_live_handle_without_broker` — proves
the wiring compiles and the rumqttc event loop survives an
unreachable broker (it retries internally; we abort the handle
inside 100 ms). Catches breakage from a future refactor that
accidentally pre-validates host reachability.
* `default_state_channel_capacity_is_reasonable` — locks the
`DEFAULT_STATE_CHANNEL_CAPACITY = 256` default; a regression to
e.g. 1 would surface here instead of as a dropped frame in
production under bursty multi-Seed federation.
12/12 cog-ha-matter tests green (10 → 12).
ADR-116 phase table: P3 flipped from "in progress" to ✅ wiring done,
with the P3.5 follow-up (sensing-server `/v1/snapshot` WS bridge)
explicitly named.
Co-Authored-By: claude-flow <ruv@ruv.net>
v1222
|
||
|
ruv
|
5723f505b7 |
cog-ha-matter (ADR-116 P3): extract pure publisher-input builder
Adds `runtime::build_publisher_inputs(host, port, privacy, identity)` —
the side-effect-free helper that turns the cog's CLI surface into the
`(MqttConfig, OwnedDiscoveryBuilder)` pair ADR-115's `publisher::spawn`
consumes. Keeps the tokio runtime wiring out of the pure unit so the
mDNS responder + Seed control plane (P4) can build the same inputs
from different sources without going through clap.
8 new tests lock the wire-format invariants:
* host/port round-trip into MqttConfig
* privacy_mode propagation (P1 dossier item 7, FDA Jan 2026)
* discovery_prefix defaults to "homeassistant"
* discovery carries node_id + sw_version + friendly_name
* via_device advertises COG_ID (ADR-101/102 device-registry shape)
* client_id includes node_id (lesson from ADR-115 iter 45-48 session
takeover post-mortem — two publishers sharing a client_id loop)
* tls defaults to Off for v1 LAN-only (lock against silent enablement)
* default_identity carries CARGO_PKG_VERSION + PID for uniqueness
Plus the existing 2 manifest tests → 10/10 green
(`cargo test -p cog-ha-matter --no-default-features --lib`).
Also lands the deep-researcher dossier (`docs/research/ADR-116-ha-...`)
that the ADR §3+§4 reference — it was produced last iter but only the
ADR was committed; this puts the source-of-truth into the tree so the
ADR's "8 sections, 30+ citations" claim is actually verifiable.
P3 status in the ADR phase table flipped from "pending" to "in progress"
with the helper named; next iter tokio::spawns publisher::run(...) in
main.rs and registers the mDNS responder.
Co-Authored-By: claude-flow <ruv@ruv.net>
|
||
|
ruv
|
56265023dc |
feat(cog-ha-matter): P2 scaffold + ADR-116 P1 research-dossier fold-in
cron iter 1. Three things landed atomically because they cross-cite:
P1 — research dossier complete
Deep-researcher agent (a4dd35950ffd) shipped
docs/research/ADR-116-ha-matter-cog-research.md: 8 sections,
30+ citations across Matter / HACS / cog arch / local-AI /
federation / competitors / regulatory / v1 scope. Key
findings folded into ADR-116 §3 and §4:
- Matter device class: OccupancySensor (0x0107) +
RFSensing feature on cluster 0x0406 (1.4 rev 5)
- ESP32-C6 Thread Border Router: one Kconfig flag away
(CONFIG_OPENTHREAD_BORDER_ROUTER=y)
- HACS quality tier: target Gold (repairs + diagnostics +
reconfiguration), start from hacs.integration_blueprint
- CSA cert: ~$30-42k/yr — skip for v1, "Works with HA"
positioning instead
- Cog RAM/CPU: 128 MB / 15% on the Seed; 10 KB INT8
semantic-primitive classifier fits without PSRAM
- SONA: <100 µs/query confirmed by ruvllm-esp32 v0.3.3
- FDA Jan 2026 wellness guidance covers HR / sleep / activity
anomaly when marketed as "anomaly notification" not "diagnosis"
- Competitor moat: Aqara FP300 / TOMMY / ESPectre all lack
HR + BR + pose + semantic + witness simultaneously
P2 — cog crate scaffold compiles
v2/crates/cog-ha-matter/ created with cog-pose-estimation as
precedent shape (ADR-101). Files:
- Cargo.toml: depends on wifi-densepose-sensing-server with
--features mqtt + wifi-densepose-hardware for the ADR-110
SyncPacket bridge.
- src/lib.rs: COG_ID = "ha-matter", MDNS_SERVICE_TYPE
"_ruview-ha._tcp", DEFAULT_CONTROL_PORT 9180.
- src/manifest.rs: typed CogManifest (8 fields) mirroring
cog-pose-estimation's manifest.template.json. Round-trip
test locks the JSON wire shape; id-constant test guards
against rename drift.
- src/main.rs: clap CLI with --sensing-url / --mqtt-host /
--mqtt-port / --privacy-mode / --print-manifest. The
--print-manifest flag emits the build-time template with
{{VERSION}} / {{ARCH}} placeholders for the signer.
- v2/Cargo.toml: cog-ha-matter added as workspace member.
Verification:
cargo check -p cog-ha-matter --no-default-features → green
cargo test -p cog-ha-matter --no-default-features --lib
→ 2/2 manifest tests pass
ADR-116 §3 + §4 + §5 (phases) updated to mark P1+P2 ✅ done and
seat the recommended v1 scope (privacy-mode audit-only → cog
signing → SONA loop → HACS gold → Matter Bridge as v0.8) ranked
by build cost × user impact per the dossier.
P3 (next iter): wrap the existing ADR-115 MQTT publisher as the
cog's main loop. The scaffold returns SUCCESS immediately today.
Co-Authored-By: claude-flow <ruv@ruv.net>
v1221
|
||
|
ruv
|
f751740d3d |
docs(adr): ADR-116 — Home Assistant + Matter as a Cognitum Seed cog
Proposes `cog-ha-matter` as a Cognitum Seed cog packaging the
ADR-115 HA-DISCO + HA-MIND surfaces as a first-class Seed-installable
artifact, rather than configuration of an external sensing-server.
P1 — research dossier in progress (deep-researcher agent), output at
`docs/research/ADR-116-ha-matter-cog-research.md`.
Seed-native enhancements vs the ADR-115 sensing-server flag:
- Embedded mosquitto (optional, for Seeds without external broker)
- mDNS service advertisement (_ruview-ha._tcp)
- RuVector-backed semantic-primitive thresholds (SONA adaptation,
per-home learning rather than static YAML)
- Ed25519 witness chain for state transitions (regulated deployments)
- OTA firmware coordination for the mesh's ESP32-C6 nodes
- Multi-Seed federation via ADR-110 ESP-NOW substrate (≤100 µs
sync enables cross-Seed dedup of events like falls in shared rooms)
7 open questions tracked for the research dossier to answer:
Matter Bridge vs Matter Root, Thread Border Router feasibility,
HACS value-add, CSA cert cost/timeline, cog binary RAM budget,
ruvllm latency, HIPAA/FDA classification.
10 implementation phases scaffolded. Tracking issue to file once
research lands. PR for the cog binary in P2.
Co-Authored-By: claude-flow <ruv@ruv.net>
v1220
|
||
|
ruv
|
db6df747b9 |
docs(ha): add cross-industry application examples to home-assistant.md
Add an 'Applications — what people actually do with this' section
above References, grouping real-world uses by category so prospective
users can pick what matches their space without having to invent
their own automations from the entity catalog.
Categories (7 tables, ~70 example use cases):
- Personal & home (goodnight routine, wake-up, meeting mode,
bathroom fan, forgotten stove, pet-only at home, sleep tracking,
toddler safety, pre-arrival lighting)
- Healthcare & assisted living (fall detection + escalation,
elderly inactivity anomaly, privacy-mode care, sleep apnea,
post-surgery, dementia wandering, bathroom timeout)
- Security & safety (auto-arm, intrusion, through-wall verification,
silent distress, garage / outbuilding, child safety zones)
- Commercial buildings & retail (office occupancy, demand-controlled
HVAC, meeting room truth, retail dwell + heat-map, queue length,
cleaning verification, lone-worker safety)
- Industrial & infrastructure (control rooms, restricted zones,
equipment rooms, hazardous area, construction after-hours,
maritime quarters)
- Education & public spaces (classroom occupancy, library, lecture
hall attendance, restroom signage, gym capacity, transit platforms)
- Energy & sustainability (per-room lighting, smart thermostat
zoning, vampire-load cut-off, solar / battery dispatch tuning,
cold-chain monitoring)
- Research, prototyping & developer use
Plus a 'Combining entities — recipe patterns' section that captures
5 reusable automation patterns (negative+duration trip wire, two-state
agreement guard, threshold+cooldown, calendar-vs-reality, privacy-mode
semantic-only) so users can build their own without reading the entity
reference cover-to-cover.
Plus a 'What about regulated environments?' subsection that names
the HIPAA / GDPR / CCPA properties of --privacy-mode + semantic-only
publishing — the architectural win for healthcare / education /
shared-housing deployments.
Co-Authored-By: claude-flow <ruv@ruv.net>
v1219
|
||
|
ruv
|
4bbb004f2d |
docs(readme): tighten ADR-079 caveat + drop What's-new callout
Tighten the ADR-079 camera-supervised limitation line and remove the prominent iter-50 'What's new (2026-05-23)' callout block — both preferred local edits. Co-Authored-By: claude-flow <ruv@ruv.net>v1218 |
||
|
ruv
|
62af91beb1 |
docs(readme): add 'What's new (2026-05-23)' callout for ADR-110 + ADR-115
Iter 50 — both ADRs merged today (PR #764 + PR #778). README's beta-software warning block was the natural location for a release callout above the main pitch; users hitting the README see today's shipped work first. Two-bullet block: - ADR-110 ESP32-C6 firmware substrate at v0.7.0-esp32 with the headline measured numbers (99.56 % match / 104 µs stdev / 3.95x EMA suppression) and the host-side surface (decoders + REST + Prometheus + WebSocket). - ADR-115 HA+Matter integration with the entity-count / blueprint / Lovelace count and the privacy-mode architectural win. Both link to their ADRs + PRs so reviewers can follow back. Co-Authored-By: claude-flow <ruv@ruv.net>v1216 v1217 |
||
|
rUv
|
249d6c327f |
ADR-115: Home Assistant + Matter integration (#778)
Closes ADR-115's MQTT track (HA-DISCO + HA-MIND + HA-FABRIC scaffolding). Headline: - 21 entity kinds per node (11 raw + 10 semantic primitives) - MQTT auto-discovery with HA conventions - Matter Bridge scaffolding (SDK wiring deferred to v0.7.1 per ADR §9.10) - Privacy mode strips biometrics at the wire, semantic primitives keep working - 420+ lib tests, mosquitto-backed integration tests, property-based fuzzing - 8 starter HA Blueprints + 3 Lovelace dashboards shipped Tracking issue: #776 |
||
|
rUv
|
00a234eda8 |
ADR-110: ESP32-C6 firmware extension (#764)
Closes the firmware-side ADR-110 design at v0.7.0-esp32 after a 38-iter /loop SOTA sprint. Headline (bench, COM9+COM12 ESP32-C6): - 99.56% cross-board RX, 104.1 µs smoothed offset stdev (≤100 µs §2.4 target met) - 3.95× EMA suppression, 1.4 ppm crystal skew preserved 4 firmware releases: v0.6.7 / v0.6.8 / v0.6.9 / v0.7.0-esp32. 42 ADR-110 unit tests, 1761 v2 workspace tests, full Firmware CI + QEMU green.v1201 |
||
|
rUv
|
5d544126ee |
fix(ui): unbreak viz.html — OrbitControls importmap, WS URL, toast NPE (#760) (#773)
* fix(ui): unbreak viz.html — OrbitControls importmap, WS URL, toast NPE (#760) Three independent bugs were stacking to make ui/viz.html unusable from `main`: 1. Three.js r160 removed `examples/js/OrbitControls.js`, so the script-tag load 404'd and `new THREE.OrbitControls(...)` threw. Switch to an importmap that pulls the ES module build, then re-expose `window.THREE` and `THREE.OrbitControls` so the existing component modules (scene.js, body-model.js, …) keep working without a wider refactor. 2. The WebSocket client was hardcoded to `ws://localhost:8000/ws/pose`, but the sensing-server listens on `--ws-port` (8765 default, 3001 in the Docker image) at `/ws/sensing`. Reuse the existing `buildSensingWsUrl()` helper from `sensing.service.js` so port pairings are handled centrally, and add a `?ws=…` query-string override for non-standard setups. The websocket-client.js default is also updated to derive from `window.location` instead of the dead `:8000/ws/pose` literal. 3. `ToastManager.show()` called `this.container.appendChild(...)` even when `init()` had never been called, throwing a TypeError that killed the rest of page initialization. Auto-init the container lazily on first show (patch from issue reporter). Closes #760. Co-Authored-By: claude-flow <ruv@ruv.net> * fix(ui): single module script + mutable THREE — OrbitControls validated Browser validation against the previous commit caught two stacked issues: 1. `import * as THREE from 'three'` returns a frozen Module Namespace Object — assignment `THREE.OrbitControls = OrbitControls` silently no-ops, so the global never gets the OrbitControls reference. 2. Two separate `<script type="module">` blocks (one installing the THREE global, one consuming it via Scene) are independently async-resolved. The second can finish dependency loading first and call `new THREE.OrbitControls(...)` before the first script has run. Fixed by spreading the namespace into a plain mutable object and merging all initialization into a single module script with `await import()` for component modules. Order is now strictly: import THREE → install window.THREE → import components → run init(). Validated via agent-browser: page logs `[VIZ] Initialization complete`, WebSocket targets the correct `ws://127.0.0.1:3001/ws/sensing` endpoint (derived from buildSensingWsUrl), toast lazy-init confirmed via eval. Co-Authored-By: claude-flow <ruv@ruv.net>v1160 |
||
|
rUv
|
004a63e82d |
fix(security): audit — fix RUSTSEC vulns, clippy warnings, dead code (#769)
- Upgrade openssl to 0.10.78 (CVE-2026-41676), jsonwebtoken to 9.4 - Suppress unmaintained-only/no-CVE advisories in .cargo/audit.toml with per-entry rationale - Fix all `cargo clippy --all-targets -- -D warnings` errors across 35 crates: derivable_impls, needless_range_loop, map_or→is_some_and/ is_none_or, await_holding_lock (drop MutexGuard before .await), ptr_arg (&mut Vec→&mut [T]), useless_conversion, approximate_constant (2.718→E, 3.14→PI), field_reassign_with_default, manual_inspect, useless_vec, lines_filter_map_ok, print_literal, dead_code - Apply `cargo fmt --all` - Pre-existing test failure in wifi-densepose-signal (test_estimate_occupancy_noise_only) is not introduced by this PRv1155 |
||
|
OrbisAI Security
|
1906876541 |
fix: upgrade openssl to 0.10.78 (CVE-2026-41676) (#751)
* fix: CVE-2026-41676 security vulnerability Automated dependency upgrade by OrbisAI Security * fix: upgrade openssl to 0.10.78 (CVE-2026-41676) rust-openssl provides OpenSSL bindings for the Rust programming langua Resolves CVE-2026-41676v1153 |
||
|
ruv
|
423dc9fd5c |
docs(readme): add Cognitum creator affiliate program reference
Brief callout for TikTok/Instagram/YouTube creators — 25% commission, instant click-tracking, ~24h manual review. Links to cognitum.one/affiliate. Co-Authored-By: claude-flow <ruv@ruv.net>v1152 |
||
|
rUv
|
68abb385ae |
docs(readme): swap hero image to ruview-seed.png (#753)
Replaces assets/ruview-small-gemini.jpg with assets/ruview-seed.png as the hero image. Same Cognitum Seed link target.v1136 |
||
|
rUv
|
92badd84e6 |
research(sota-loop): final 00-summary.md — loop closes at 12:00 UTC stop (#747)
Closes the autonomous SOTA research loop kicked off 2026-05-21 ~21:00 UTC. ~15 hours, 41 cron-driven research ticks + 3 housekeeping PRs. Output inventory: - 19 research threads (R1, R3, R5-R15, R16, R17, R18, R19, R20, R20.1, R20.2) - 8 exotic verticals - 7 ADRs from loop (105/106/107/108/109/113/114) + bridges with 3 existing - 1 quantum-sensing doc (17) bridging the existing 11-16 series - 22 numpy reference implementations in 9 thematic folders - Production roadmap (6 tiers, ~3,500 LOC, ~25 person-weeks) - 41 per-tick summaries Three kinds of negative result demonstrated: - Missing-tool (revisitable): R12 -> R12 PABS POSITIVE -> R12.1 CLOSED LOOP - Architecture-error (correctable): R3.1 -> R3.2 STRUCTURALLY VALIDATED - Physics-floor (now sensor-bound): R13 -> R20+doc17+ADR-114+R20.1+R20.2 Three multi-tick research arcs: - R12 (3 ticks): structure detection NEG -> POS -> CLOSED - R3 (3 ticks): cross-room re-ID POS -> NEG (arch error) -> STRUCTURALLY VALIDATED - R20 (5 ticks): vision -> bridge -> spec -> demo -> refinement (45 min) R6 placement family (9 ticks) consolidated into ADR-113 4-axis matrix. Ship recipe: 2D chest-centric + multi-subject + N=5 = 100% coverage. Production Tier 1 (Q3 2026): 93x placement lift + 9.36x intruder lift + ADR-029 closed. ~490 LOC, 3-4 person-weeks. Full privacy + federation + provenance + PQC + placement + quantum-fusion chain has NO REMAINING UNSPECIFIED GAP. Cron d6e5c473 deleted at summary write. Autonomous phase ends here.v1125 v1133 v1131 v1129 v1127 v1123 v1121 v1119 v1117 v1115 v1113 v1111 v1109 v1107 v1105 v1103 v1101 v1099 v1097 v1095 v1093 v1091 v1089 v1087 v1085 v1083 v1081 v1079 v1077 v1075 v1073 v1071 v1069 v1067 v1065 v1063 v1061 v1059 v1057 |
||
|
rUv
|
fecb1da252 |
research(R20.2): threshold-based hand-off — works at 0.5 m, harmonic gap at 1 m surfaces Pan-Tompkins requirement (#746)
Implements R20.1's catalogued refinement: when NV conf > 60% AND amplitude > 3 pT, trust NV entirely. Mixed result (5 distances): - 0.5 m: NV=72.00 ✓, smart=72.0 (+0.0 error, NV trusted) ✓ - 1.0 m: NV=144 (harmonic!), smart trusts wrong NV (+72 BPM error) - 1.5 m+: falls back to weighted (NV conf below threshold) Production lesson: the threshold-based policy is correct in spirit but incorrect with simple FFT rate estimator (picks harmonics). Production needs: 1. Harmonic rejection (Pan-Tompkins QRS or autocorrelation) 2. Cross-check vs breathing band 3. Per-frame plausibility window R20.1's 'production needs Pan-Tompkins' note is confirmed BINDING, not nice-to-have, before threshold hand-off can ship. ADR-114 implementation budget refined: +30-50 LOC for Pan-Tompkins. Five-step quantum arc: - R20 vision (tick 37) - Doc 17 bridge (tick 38) - ADR-114 spec (tick 39) - R20.1 working demo (tick 40) - R20.2 threshold refinement (this tick) Production ADR-114 cog now has all known refinements catalogued BEFORE any Rust code is written. Honest mixed result — catalogue-then-revisit pattern works: R20.1 flagged production gap; R20.2 attempted fix; fix surfaced deeper gap (harmonic rejection). Three layers of refinement. |
||
|
rUv
|
eb88035699 |
docs(examples/research-sota): add main + 9 sub-folder READMEs (follow-up to #744) (#745)
PR #744 moved the files into 9 thematic folders via git mv but missed the READMEs due to a working-directory issue with git add. This PR adds the actual READMEs: - examples/research-sota/README.md (main overview) - examples/research-sota/01-physics-floor/README.md - examples/research-sota/02-placement/README.md - examples/research-sota/03-spatial-intelligence/README.md - examples/research-sota/04-rssi/README.md - examples/research-sota/05-cross-room-reid/README.md - examples/research-sota/06-structure-detection/README.md - examples/research-sota/07-negative-results/README.md - examples/research-sota/08-verticals/README.md - examples/research-sota/09-quantum-fusion/README.md Each sub-README documents: - Scripts + headlines table - Why this folder bounds/composes with others - Sample output / honest scope - Cross-references to related loop notes + ADRs Main README covers: - Folder map with thread numbers - Cross-folder dependency graph - 8-entry headline findings table - Reading order for newcomers (4 scripts in suggested order) - Honest scope (synthetic-physics caveats) |
||
|
rUv
|
4e879bf62a |
chore: organise examples/research-sota/ into 9 thematic folders with READMEs (#744)
User request: organise examples/research-sota/ into folders with READMEs and main overview. Moved 46 files into 9 thematic folders by thread family + research category: 01-physics-floor/ (R1, R6, R6.1) — bedrock primitives 02-placement/ (R6.2 family, 7 sub-ticks) — antenna placement 03-spatial-intelligence/ (R5, R7) — saliency + mincut 04-rssi/ (R8, R9) — RSSI-only sensing 05-cross-room-reid/ (R3 arc, 3 ticks) — cross-room identity 06-structure-detection/ (R12 arc, 3 ticks) — PABS + closed loop 07-negative-results/ (R13) — productive failure 08-verticals/ (R10, R11) — wildlife + maritime physics 09-quantum-fusion/ (R20.1) — ADR-114 quantum-classical demo Each folder has its own README.md documenting: - Scripts + headlines table - Why this folder bounds / composes with others - Sample output / honest scope - Cross-references to related loop notes + ADRs Main README.md at the top covers: - Folder map with thread numbers - Cross-folder dependency graph - Headline findings table (8 entries) - Reading order for newcomers (4 scripts in suggested order) - Honest scope (synthetic-physics caveats) All git mv operations preserve file history. Total: 46 files moved, 10 new READMEs (main + 9 sub) totalling ~1300 lines of organising documentation. |
||
|
rUv
|
759b487a82 |
research(R20.1): working Bayesian fusion demo for ADR-114 — empirically validates R13 NEG + doc 16 cube-law (#743)
Runnable numpy demo of ADR-114's three-input Bayesian fusion architecture. ~140 LOC pure NumPy. Validates the architecture before Rust implementation. Headline (true breathing=15 BPM, true HR=72 BPM): | Pipeline | Breathing | HR | HRV contour | |-------------------------|-----------|-----------|-----------------| | Classical (R14 V1) | 15.00 BPM | 105 BPM | not available | | | conf 69% | conf 38% | (R13 confirms) | | NV @ 1 m (6.25 pT) | n/a | 72.00 BPM | SDNN 119 ms | | NV @ 2 m (0.78 pT) | n/a | 96 marginal | degrading | | NV @ 3 m (0.23 pT) | n/a | 166 lost | NO | | FUSED (ADR-114) | 15.00 BPM | 84 BPM | SDNN 119 ms | Five confirmations: 1. Classical breathing rate is reliable (R14 V1 holds) 2. Classical HR is unreliable (R13 NEGATIVE EMPIRICALLY CONFIRMED: 38% confidence, 105 BPM estimate when truth was 72) 3. NV cardiac at 1 m works (R13 recovery validated) 4. CUBE-OF-DISTANCE FALLOFF IS REAL (doc 16 validated: 27x signal drop from 1 m to 3 m, matches 1/r^3 prediction) 5. Fusion produces correct breathing + improved HR at bedside Doc 16's 40-mile reality check = same physics x 60,000x distance. Press-release physics confirmed unphysical via working code. Caveat documented: demo's naive precision-weighted Bayesian gave 84 BPM (between classical 105 wrong and NV 72 right). Production fix catalogued — threshold-based hand-off when NV conf > 60% AND B-field > 3 pT, trust NV entirely. Engineering risk for ADR-114 Rust port (200 LOC, 3 weeks) lowered substantially: this 140 LOC numpy demo runs in <100 ms. Four-tick arc: - 11:15 UTC: R20 vision - 11:25 UTC: Doc 17 bridge - 11:35 UTC: ADR-114 spec - 11:40 UTC: R20.1 WORKING CODE Vision -> integration -> spec -> working code in 25 minutes. Honest scope: - Synthetic signals throughout - Cube-of-distance assumes clean dipole field - 5 deg phase noise assumes phase_align.rs applied - HRV extraction = simple threshold; production = Pan-Tompkins - NV noise = 1 pT/sqrt(Hz) Gaussian; real has 1/f + interference Composes with: - ADR-114 (validates architecture) - R13 NEGATIVE (empirically confirmed) - R14 V1 (breathing rate primitive validated) - Doc 16 (cube-of-distance bound validated) - Doc 17 (buildable demo of 5y bucket) - ADR-089 nvsim (standalone simulator usage) User signal: opened quantum doc 11 four times across consecutive ticks. Continuing the quantum-fusion direction with concrete code. Coordination: ticks/tick-40.md, no PROGRESS.md edit. Full quantum-classical fusion arc is now SHIPPABLE: - Vision (R20) - Integration (doc 17) - Spec (ADR-114) - Working demo (R20.1) |
||
|
rUv
|
f21d833c23 |
adr-114: cog-quantum-vitals — first quantum-augmented cog spec, recovers R13 NEGATIVE (#742)
Drafted in response to user's escalating signal (opened quantum-sensing doc 11 three times across consecutive ticks). Beyond R20 vision (tick 37) and doc 17 bridge (tick 38), this tick delivers a BUILDABLE ARTIFACT. First quantum-augmented cog spec. Bedside-only (1-2 m, inherits doc 16 sober posture). Composes nvsim (ADR-089) + R14 V1 + R12.1 pose-PABS + R3 AETHER + Bayesian fusion. Architecture: - ESP32 CSI -> R14 V1 breathing rate (classical primary) - nvsim NV -> R6.1 multi-source forward (cardiac magnetic, NV primary) - R12.1 pose-PABS hook for residual check - R3 + AETHER per-patient identity - Bayesian fusion: classical drives when confidence high; NV drives HRV contour (which R13 NEGATIVE ruled out classically) Outputs (with confidence scores per output): - Breathing rate +-0.1 BPM - Heart rate +-0.5 BPM - HRV CONTOUR (NV only - this is what R13 ruled out classically) - Per-patient identity (R3+AETHER, per-installation only) Cost analysis (bedside): - 4x ESP32-S3: 0 - 1x NV-diamond: 00-2000 today / ~00 by 2028 - Mount + cal: 0 - TOTAL: 10-2110 vs clinical monitor: 000-10000 Implementation: ~200 LOC, ~3 weeks - Crate scaffold: 30 - nvsim adapter: 40 - Bayesian fusion: 80 - R12.1 hook: 30 - Manifest schema: 20 Privacy chain unchanged: ADR-106 Layer 1 adds NV B(t) + HRV contour to on-device-only primitive list. ADR-100/109 dual signing for manifest. R14 V3 (attention-respecting) becomes shippable — was bound by R13's contour requirement; ADR-114 provides the contour. ADR chain after this tick (10 ADRs in loop's accumulated chain): - Existing: ADR-100, 103, 104 - Loop: ADR-105, 106, 107, 108, 109, 113, 114 - Critical dependency: ADR-089 (nvsim) Future ADRs catalogued: - ADR-115: cog-rydberg-anchor (7-10y) - ADR-116: real NV hardware bring-up - ADR-117: cog-quantum-vitals FDA/CE pathway - ADR-118: cog-mm-position (atomic-clock multistatic) The three-tick arc (R20 -> doc 17 -> ADR-114): - R20: vision (quantum recovers classical limits) - Doc 17: integration (bridges series 11-16 with loop) - ADR-114: shippable (concrete cog spec, 10-2110/bedside) Vision -> integration -> buildable in 35 minutes. Honest scope: - nvsim is deterministic SIMULATOR; cog ships with synthetic benefit until 2028-2030 real hardware - Cube-of-distance bounds <=2 m bedside (doc 16 posture) - Patient-side variability requires per-patient calibration - No bench validation on hybrid pipeline yet Composes with every loop thread (R3, R6.1, R12, R12.1, R13 NEG recovered, R14 V1/V2/V3, R15, R16-R20) + all ADRs (089, 100, 103-109, 113). Coordination: ticks/tick-39.md, no PROGRESS.md edit. |
||
|
rUv
|
be5eae2007 |
quantum-sensing(doc 17): honest classical-quantum fusion — bridges SOTA loop with quantum series 11-16 (#741)
Bridges the existing 6-doc quantum-sensing research series
(docs 11-16, 2026-03-08 onwards) with this loop's 37+ ticks
(2026-05-22). Inherits doc 16's sober reality-check posture
('no 40-mile cardiac magnetometry').
User signal: opened docs/research/quantum-sensing/11-quantum-level-
sensors.md twice in consecutive ticks. Strong repeat signal toward
quantum integration. Doc 17 explicitly bridges the two work streams.
Two reality-checks compose:
1. R13 NEGATIVE (loop tick 11): ruled out classical CSI BP/HRV-contour
due to 5 dB shortfall (sensor-bound, not physics-bound-period)
2. Doc 16 Ghost Murmur (2026-04-26): ruled out 40-mile NV cardiac
magnetometry due to cube-of-distance physics
Combined: HONEST FUSION adds NV-diamond cardiac magnetometry at 1-2 m
BEDSIDE RANGES (where cube law gives ~1 pT/sqrt(Hz) SNR), NOT 40 miles.
Classical primitives carry geometry; quantum carries fidelity.
Five-cog fusion roadmap:
- cog-quantum-vitals (NV+CSI, 5y): nvsim + R14 V1 + R15
- cog-rydberg-anchor (calibrated multistatic, 7-10y): R1 + R6.2.2 + Rydberg
- cog-mm-position (atomic clock, 10y): R1 + R3.2 + atomic clock
- cog-deep-rubble-survivor (NV drone, 15y): R18 + NV via drone
- cog-ICU-meg (room-temp SQUID, 20y): R14 V3 + SQUID array
All five stay sober — no Ghost Murmur 40-mile claims.
Cross-reference index: every loop output mapped to quantum-series doc.
- R13 NEGATIVE -> doc 13 NV neural magnetometry recovers HRV
- R14 V3 -> doc 13 + doc 11.2.2 SQUID for MEG
- R6.1 4.7 dB penalty -> doc 11.3.3 quantum illumination (+6 dB)
- R1 CRLB -> doc 11.4 Rydberg+atomic clock (~10 cm)
- R18 disaster -> doc 13 NV cardiac at 5+ m rubble depth
nvsim (ADR-089) integration concretised:
nvsim_output -> R14 V1 fusion / R12 PABS / R7 mincut / R6.1 residual
↓
cog-quantum-vitals
~150 LOC glue. Makes nvsim ACTUALLY USEFUL beyond simulator scope.
What this DOES enable:
- Clear integration between 6-doc series and SOTA loop
- Five honest-scope fusion-cog roadmap items
- 'What we are NOT building' list (no 40-mile, no through-multi-walls)
- Bridge for journalists/researchers/contributors
What this DOES NOT enable:
- 40-mile cardiac magnetometry (doc 16 stands)
- Through-multiple-walls quantum (1/r^3 falloff persists)
- Replacement of medical devices without FDA/CE
- Quantum-enhanced WiFi protocol changes (Layer 1 stays classical)
Doc 17 special status:
- First doc to bridge SOTA loop with quantum-sensing series
- Adopts doc 16's sober reality-check posture
- Identifies R13 NEGATIVE as conditionally recoverable (sensor-bound)
- Concretises nvsim → cog integration path
Composes with every loop output (R1, R3, R5-R15, R12.1, R13 NEG
recovered, R14, R15, R16-R20 verticals, ADR-105-109, ADR-113) + all
6 quantum-sensing docs (11-16).
Coordination: ticks/tick-38.md, no PROGRESS.md edit.
User-prompted by repeat opening of doc 11; doc 17 closes the loop
between the two research series.
|
||
|
rUv
|
0f930e929e |
research(R20): quantum sensing integration — recovers R13 NEGATIVE via NV-diamond magnetometry (#740)
Eighth exotic vertical. Recovers what R13 NEGATIVE physically excluded. Demonstrates the loop's architecture is SENSOR-AGNOSTIC — same primitives work with classical CSI today and quantum sensors in 5-20y. User-prompted: opened docs/research/quantum-sensing/11-quantum-level- sensors.md indicating quantum-integration interest. Repo already has nvsim (NV-diamond magnetometer simulator, ADR-089) as a standalone leaf crate. Four quantum modalities catalogued: - NV-diamond magnetometer (1 pT/sqrt(Hz), 5-10y edge) - Atomic clock (10^-15 stability, 5-10y edge) - SQUID magnetometer (1 fT/sqrt(Hz), 15-20y if room-temp possible) - Quantum-illuminated radar (+6 dB SNR, 15-20y edge) Classical vs quantum loop primitive comparison: - Breathing rate: +-1 BPM -> +-0.1 BPM (10x) - HR rate: +-5 BPM -> +-0.5 BPM (10x) - HRV contour: NOT possible (R13) -> NV-magnetometer enables it - BP: NOT possible (R13) -> atomic-ToA PWV enables it - Position precision: 25 cm -> 3 mm (80x) - Multi-scatterer penalty: 4.7 dB -> 1 dB (3.7 dB recovery) - Through-rubble: 2 m -> 5 m+ (2.5x) WHAT R13 NEGATIVE NO LONGER RULES OUT WITH QUANTUM: R13 ruled out HRV contour + BP from CSI due to 5 dB SNR shortfall. NV-diamond cardiac magnetometry resolves this — heart magnetic fields (~50 pT) detectable, contour-preserving, penetrates clothing/rubble. The 5 dB R13 shortfall was SENSOR-BOUND, not PHYSICS-BOUND-period. Different sensor recovers it. R20 identifies this categorisation explicitly. Five-cog speculative roadmap: - cog-quantum-vitals (5y): nvsim + R14 + R15 - cog-mm-position (10y): atomic clock + R1 + R3.2 - cog-deep-rubble-survivor (15y): nvsim + R18 + drone - cog-quantum-illuminated-pose (15y): quantum illum + R6.1 - cog-ICU-meg (20y): SQUID + R14 V3 Three deployment scenarios: - Hybrid ICU bed (5y): 0/bed (4xESP32 + NV-diamond) vs ,000 monitor - Atomic-clock mm-precision multistatic (10y): high-security access - NV-drone disaster magnetometry (15y): 2.5x rubble depth over R18 Integration with existing nvsim (ADR-089): - Magnetic-field time series -> R14 V1 vitals fusion - Field map -> R12 PABS structural anomaly extension - Stability indicator -> R7 mincut additional consistency channel Future cog: cog-quantum-fusion or cog-quantum-vitals. THE CLEANEST 'LOOP IS SENSOR-AGNOSTIC' DEMONSTRATION: Even when classical CSI hits its physics floors (R13, R1 bandwidth, R6.1 penalty), the ARCHITECTURE STAYS THE SAME; only the sensor swaps. R6 forward model, R12 PABS, R7 mincut, R3 cross-room, R14 V1/V2/V3 framework — all apply to quantum sensors with parameter swaps. This is the loop's architectural value proposition in its most explicit form. Honest scope (very important): - Most quantum tech is 10-20y from edge deployment - nvsim is a SIMULATOR, not real hardware - All 'improvement' numbers are theoretical bounds; real-world 30-70% - Loop has NO real quantum sensor on bench R20 special status: - 8th exotic vertical - First requiring quantum hardware for full realisation - Most explicitly 10-20y horizon (matches cron prompt criteria) - Recovers R13 NEGATIVE via different sensing modality Composes with every loop thread + ADR-089 nvsim + ADR-113 placement. Coordination: ticks/tick-37.md, no PROGRESS.md edit. Loop summary: 18 research threads, 8 exotic verticals, 6 loop ADRs, 3 negative result categories (R13 conditionally recoverable now), production roadmap shipped. 00-summary.md to follow at 12:00 UTC stop. |
||
|
rUv
|
a0fe392f4a |
research(R19): agricultural livestock — seventh exotic vertical, first non-human-centric (#739)
Seventh exotic vertical demonstrating the loop's vertical-agnostic infrastructure. R19 is the FIRST NON-HUMAN-CENTRIC vertical. R19 composes: - R10 gait taxonomy (extended to livestock species) - R6.2.5 multi-subject union (herd density) - R12 PABS (predator detection + cattle-fall) - R14 V1 (rate-level breathing for welfare scoring) - R15 (per-animal RF fingerprint for ID without tag) Per-species gait + vital tables: | Species | Stride | Normal RR | Stress RR | | Cattle | 0.6-1.2 Hz | 10-30 BPM | >40 | | Pig | 1.0-2.0 Hz | 10-25 BPM | >35 | | Sheep | 1.5-2.5 Hz | 12-25 BPM | >30 | | Horse | 1.0-1.8 Hz | 8-16 BPM | >20 | | Chicken | 3.0-5.0 Hz | 15-40 BPM | >50 | Six-cog roadmap (0-15y): - cog-cattle-monitor (5y): R10 + R14 + R6.2.5 + R12.1 - cog-pig-welfare (5y): R6.2.5 + R14 + correlation - cog-predator-alert (5y): R12 PABS + R10 classifier - cog-lameness-detector (10y): R10 gait asymmetry + drift - cog-birthing-alert (10y): R14 V1 species signature - cog-free-range-tracker (15y): R6.2.2 sparse + Tailscale mesh High-impact use cases: - Predator detection at pasture edges: mitigates 32M/year US livestock losses (USDA 2015) - Heat-stress detection in dairy: overheated cattle drop milk production 30-50% before visual signs - Lameness early detection: dairy industry's #1 welfare issue - Sick-pig isolation alert: tail-biting cascade prevention Three scenarios: - Dairy barn (5y): 00 vs 0K visual+RFID+behaviour - Free-range pasture (10y): self-organising solar+ESP32+Tailscale - Pig barn welfare (15y): EU End-the-Cage / Prop 12 alignment What's different from human verticals: - Mass range 1.5-1000 kg (3+ orders of magnitude) - Count 1-1000+ per pen - Privacy: farmer-consent regime, not HIPAA/OSHA/GDPR - Regulatory: USDA / EU welfare instead of FDA/OSHA - Cost sensitivity: very high (2-5% margins) - Chicken-scale economically marginal Honest scope: - Synthetic data only; per-species RCS measurements needed - Chicken-scale marginal economically - High-density pig (8-100/barn) may exceed R6.2.5's 4-occupant limit - Weather effects on outdoor RF not in scope - No animal-welfare ethics review (loop specifies infrastructure) R19 special status: FIRST NON-HUMAN-CENTRIC. Privacy framework doesn't apply (animals can't consent); replaced by animal-welfare regulations. R18+R19 = two verticals needing external partnerships (FEMA, USDA). Seven exotic verticals now: 1. R10 wildlife 2. R11 maritime 3. R14 empathic appliances (home) 4. R16 healthcare 5. R17 industrial 6. R18 disaster (integrates MAT crate) 7. R19 livestock (first non-human-centric) Composes with every loop thread (R1, R3, R5, R6/R6.1, R6.2.5, R7, R10, R12/R12.1, R13 NEG, R14, R15) + ADR-113 + ADR-105-109. Coordination: ticks/tick-36.md, no PROGRESS.md edit. |
||
|
rUv
|
ab80280f93 |
research: production roadmap synthesis — every loop output mapped to owner/LOC/priority (#738)
Terminal output of the SOTA research loop. Maps every research finding
to owner, LOC estimate, dependency, and priority across 6 tiers.
Total engineering budget across the loop's output:
- Tier 1 (Q3 2026): ~490 LOC, 3-4 person-weeks
- Tier 2 (Q3-Q4 2026): ~1180 LOC, 6-8 person-weeks
- Tier 3 (2027): ~1140 LOC, 8-10 person-weeks
- Tier 4-5 (long horizon): ~700+ LOC, 6-8 person-weeks
- TOTAL: ~3,500 LOC, ~25 person-weeks
Tier 1 (next quarter) ships:
- 1.1 wifi-densepose plan-antennas CLI tool (360 LOC) -- 93x placement lift
- 1.2 R12.1 pose-PABS in vital_signs cog (80 LOC) -- 9.36x intruder lift
- 1.3 cog-person-count v0.0.3 chest-centric (50 LOC)
- 1.4 ADR-029 amendment w/ ADR-113 matrix (0 LOC)
Critical-path graph:
1.1 + 1.2 -> 1.3 -> 2.1 ruview-fed -> 2.2 DP-vital-signs -> 3.1 cross-install -> 3.2 PQC
+-> 3.3 real-AETHER -> 3.4 fall-detect
+-> 4.x verticals
Why this matters: after 35 ticks of research output, this is the
document that lets a team pick up and ship without re-reading the 34
research notes. Priority alignment, estimate-anchoring, critical-path
visibility — all in one place.
R-thread mapping:
- R5/R6/R6.2 family/R6.1 -> Tier 1
- R12/R12.1 PABS -> Tier 1.2
- R3/R3.1/R3.2/R14/R15 -> Tier 2-3
- R7 mincut -> Tier 2 (in ruview-fed)
- R13 NEGATIVE -> rules out BP, no Tier line
- R10/R11/R16/R17/R18 verticals -> Tier 4-5
Composes with every loop output. Every thread, ADR, vertical sketch
has a line in some Tier. The TERMINAL output that needs the synthesis
power of a research loop to produce.
Honest scope:
- Estimates synthetic-data-based; may shift after bench validation
- Critical-path may have hidden dependencies (e.g. AgentDB schema)
- 25 person-weeks assumes full-time engineers
- Doesn't include integration testing, documentation, deployment ops
- Tiers based on architectural dependency, not business priority
Loop status after 35 ticks:
- 16 research threads
- 6 exotic verticals
- 6 new ADRs (105/106/107/108/109/113)
- 3 negative result categories
- 2 self-corrections
- 3 honest-scope findings
- 9-tick R6 family (complete)
- 3-tick R3 arc (complete)
- 3-tick R12 arc (complete)
- This production roadmap
00-summary.md will follow at 12:00 UTC / 08:00 ET cron stop.
Coordination: ticks/tick-35.md, no PROGRESS.md edit.
|
||
|
rUv
|
472774d3f8 |
research(R18): disaster response — first vertical integrating with existing repo crate (wifi-densepose-mat) (#737)
Third 'vertical demonstrates loop generality' tick. First vertical to integrate with an existing repo crate (wifi-densepose-mat), making loop-to-production path most direct. Headline: rubble is RF-leaky, not RF-opaque - Steel (1mm): 2,674 dB (opaque) - Mixed rubble 1-2m: 40-80 dB - Brick 10cm: 8-12 dB - Concrete 10cm: 20-30 dB - Drywall 1.5cm: 1-2 dB ESP32-S3 121 dB link budget gives 40-80 dB margin through typical rubble. Survivors at 1m depth: +37 dB (feasible), 2m: +7 dB (marginal), 3m: infeasible. Dramatically better than R11 maritime through-bulkhead case. Loop primitives -> MAT crate enhancements: - R12.1 pose-PABS: 9.36x fewer false alarms - R6.2.5: multi-survivor union (bounded ~4) - R1 CRLB: ~25 cm position precision - R14 V1 + R15: rate-level vitals confirmation - R3 + AETHER: survivor-vs-rescuer disambiguation - R7 mincut: BINDING at disaster sites - ADR-109 Dilithium: audit trail integrity Six-cog roadmap: - cog-mat-survivor-detect (NOW): wifi-densepose-mat baseline - cog-mat-pose-pabs (5y): + R12.1 - cog-mat-multi-survivor (5y): + R6.2.5 - cog-mat-vitals-confirm (5y): + R14 V1 + R15 - cog-mat-survivor-vs-rescuer (10y): + R3 + library - cog-mat-cross-deploy-fed (15y): + ADR-105-108 consent-bounded Three deployment scenarios: - Rapid response 5y: 00/survey unit, FEMA model - Pre-staged at seismic sites 10y: auto-activate on tremor - Cross-disaster fed 15y: consent-bounded across sites Vertical comparison (5 verticals now): - R18 disaster: rubble 40-80 dB, trapped, R7 binding, existing crate - R16 healthcare: air, stationary patients, R7 nice-to-have - R17 industrial: air, mobile workers, R7 binding Three of three target verticals (clinical/industrial/disaster) work with same architecture. Strong evidence loop is vertical-agnostic. Honest scope: - No bench-validated disaster-site data (ethics: can't simulate) - R7 mincut hostile-RF requirement - Cross-disaster fed has consent questions - Time-pressure tuning aggressive toward false-positive - MAT crate API doesn't yet consume R6.1 multi-scatterer - Steel-rubble (basement w/ rebar) impossible per R11 - Underwater impossible per R11 saltwater Composes with every loop thread (R1, R6/R6.1, R6.2.2/.5, R7, R10, R11, R12/R12.1, R13 NEG, R14, R15, R3) + all ADRs (105-109, 113) + R16/R17 parallel patterns. R18 special status: FIRST VERTICAL to integrate with existing repo crate. Loop-to-production path is shortest because production code exists; loop primitives enhance rather than replace. Coordination: ticks/tick-34.md, no PROGRESS.md edit. Loop now has 6 exotic verticals: 1. R10 wildlife 2. R11 maritime 3. R14 empathic appliances (home) 4. R16 healthcare 5. R17 industrial 6. R18 disaster (first to integrate with existing crate) |
||
|
rUv
|
8213741879 |
research(R17): industrial safety — second vertical composing loop primitives (#736)
Second exotic vertical demonstrating loop primitives compose to industrial safety. Parallel to R16 healthcare with different ADR-113 matrix rows (presence + vital-signs at coarser resolution) and R7 mincut becomes BINDING (not nice-to-have) due to hostile industrial RF environment. Three deployment scenarios: - Warehouse zone (5y): 0/zone vs 00-2000 camera+monitoring - Construction site (10y): per-project federation - Refinery/chemical plant (15y): adds CSI to gas+cam+badge infrastructure R17 vs R16 parallel: - R16: stationary patients, 30 m^2 ward, vital-signs row (chest, N=5), HIPAA - R17: mobile workers, 100-1000 m^2 zone, presence row (body, N=3-4), OSHA SAME ARCHITECTURE, different parameter regime. Five specialised cog roadmap items: - cog-fall-detection (5y): R12.1 + PPE-tuning - cog-zone-occupancy (5y): R12 PABS + R6.2.5 - cog-lone-worker-vitals (5y): R14 V1 rate-only - cog-worker-fatigue (10y): R10 gait + R15 - cog-multi-zone-orchestrator (5y): R6.2.5 + ADR-105 fed Why R7 mincut becomes binding: industrial RF has legitimate noise (cell, BLE tools, walkie-talkies) that must be disambiguated from sensor compromise. N >= 4 anchors required (already met by ADR-113 for multi-feature cogs). PPE-specific body model needed (R6.1 follow-up): Hard hat / high-vis / harness / tool belt / steel-toed boots change per-part reflectivity by ~5-15%. ~1-2 weeks labelled-data work for cog-industrial-pose. R10 gait taxonomy extends within humans: - Walking: 1.2-2.5 Hz - Fatigued: 0.8-1.5 Hz (slower + asymmetric) - Impaired: asymmetry > 25% OSHA-aligned pre-incident fatigue detection. Honest scope: - Synthetic data only; bench validation required for OSHA-grade - PPE-specific body model unbuilt - Outdoor/weather effects partly transfer from R10 - Worker consent + audit trail integration per-customer R17 closes parallel-vertical demonstration: loop has now shown VERTICAL-AGNOSTIC INFRASTRUCTURE: 1. R10 wildlife 2. R11 maritime 3. R14 empathic appliances (home) 4. R16 healthcare 5. R17 industrial safety Five exotic verticals + cross-thread identity work. Outputs that generalise beyond original problems = mark of well-factored research. Composes: - R1, R5, R6/R6.1, R6.2.5, R7 (binding here), R10, R12/R12.1, R13 NEG, R14, R15 — all loop threads - ADR-113 placement + ADR-105-109 privacy/PQC chain - R16 parallel pattern Coordination: ticks/tick-33.md, no PROGRESS.md edit. |
||
|
rUv
|
675233630d |
research(R16): healthcare ward monitoring — composes loop primitives, no new research (#735)
New exotic vertical (10-20y horizon) demonstrating the loop's 9-ADR + 13-thread output is sufficient to specify a complete clinical- deployment system. All required primitives exist; the gap is bench validation + BAA + regulatory pathway. Three deployment scenarios: - ICU bedside (5y): 0/bed vs ,000 hospital-grade monitor - General ward 8-bed (10y): 20/ward vs 00K/year staffing - At-home post-discharge (15y): empathic-appliance V1/V2/V3 + telemedicine Healthcare requirement -> loop primitive mapping: - Vitals: R14 V1 + R15 (rate-level only per R13 NEGATIVE) - Patient ID per bed: R3 + AETHER - Fall detection: R12.1 pose-PABS closed loop - Intruder detection: R12 PABS multi-subject - Multi-bed coverage: R6.2.5 + ADR-113 placement matrix - HIPAA privacy: ADR-106 medical-grade (epsilon=2) - Audit trail: ADR-109 Dilithium-signed - Cross-hospital fleet: ADR-107+108 quantum-resistant Two gaps blocking deployment (both solvable, neither new research): 1. Bench validation on real patient data (6-12 months) 2. BAA infrastructure with hospital partner (operational) What R13 NEGATIVE rules out: - Blood pressure cog -> keep arm cuff - HRV contour -> keep PPG wearable for ICU What R12.1 + R6.2.5 enables: - Fall detection at 9.36x lift - 100% coverage for 4-occupant rooms - Per-bed identity preservation Six cog roadmap items: - cog-vital-signs (5y): R14 V1 + R15 - cog-fall-detection (5y): R12.1 - cog-bed-occupancy (5y): R12 PABS + R6.2.5 - cog-respiratory-anomaly (10y): temporal R15 breathing - cog-post-discharge (15y): V1/V2/V3 + telemedicine - cog-elderly-care (20y): R10 gait + R15 limb-timing Honest scope: - Synthetic data only; bench validation pending - 8-bed wards may exceed R6.2.5's 4-occupant tested limit - Hospital RF environment harsh - Clinical workflow integration is substantial engineering - FDA/CE regulatory pathway is 6-18 months and 500K-2M per device class Why R16 matters: it confirms the loop's output is ARCHITECTURALLY COMPLETE for clinical deployment. Same primitives that ship empathic appliances ship healthcare. Composition, not research, is the remaining work. Composes with every loop thread (R1, R5, R6, R6.1, R6.2.5, R7, R10, R11, R12, R12.1, R13, R14, R15, R3 + all ADRs 105-109+113). Loop now has 5 exotic vertical sketches: wildlife (R10) / maritime (R11) / empathic appliances (R14) / healthcare (R16) + cross-thread identity/security work. Coordination: ticks/tick-32.md, no PROGRESS.md edit. |
||
|
rUv
|
e4f93b1617 |
adr-113: multistatic placement strategy — consolidates 9-tick R6 family into decision matrix (#734)
Amends ADR-029 (RuvSense multistatic). Consolidates the SOTA research
loop's 9-tick R6 family into a single 4-axis decision matrix
(dimension x zone-mode x occupants x cog).
Decision matrix highlights:
- 2D vital-signs cogs: chest-centric, N=5, walls 0.8/1.5 m -> 100%
- 3D vital-signs cogs: chest-centric, N=6, NO ceiling -> 82%
- 2D pose cogs: body, N=5, walls mixed -> 97%
- 3D pose cogs: body, N=7-8, mixed L/M/H -> 65%+
- Person count: body, N=4, walls mixed -> 86%
- Presence only: body, N=3, walls low -> 63%
- Maritime cabin: chest, N=4, low -> 80%+
- Wildlife corridor: linear, N=4, tree-mount -> 70%+
Seven binding rules extracted from R6 family:
1. Ceiling-only mounting fails (R6.2.1)
2. Vertical link diversity wins in 3D (R6.2.1)
3. Anchor heights match target zone heights (R6.2.4)
4. Chest-centric beats body for vital signs (R6.2.3)
5. Multi-subject union is the right target (R6.2.5)
6. N=5 is the consumer recommendation (R6.2.2 + R6.2.5)
7. Avoid placing target zones on LOS line (R6.1)
CLI productisation:
wifi-densepose plan-antennas
--room W H [Z] --target ... --target-mode {body,chest}
--freq-ghz F --n-anchors N --cog NAME
MCP tool:
ruview_placement_recommend(room, targets, cog)
-> {anchors, coverage, rationale}
~360 LOC total for placement-strategy productisation.
Per-cog auto-config (the --cog flag looks up):
- cog-presence: body, 3
- cog-person-count: body, 4
- cog-pose-estimation: body, 5 (2D) / 7 (3D)
- cog-vital-signs / breathing / heart-rate: CHEST, 5/6
- cog-intruder: body, 5
- cog-maritime-watch: chest, 4
- cog-wildlife: linear, 4
The R6 family produced 9 ticks of physics + simulation, each adding
1-2 axes to the placement question. ADR-113 collapses all 9 into a
single decision matrix that a non-physicist installer can use.
Composes:
- R6.2 family (9 ticks) all feed this ADR
- R7 mincut: N >= 4 satisfied for all multi-feature cogs
- R10/R11 wildlife/maritime entries in matrix
- R12 PABS/R12.1: placement coverage = intrusion-detection sensitivity
- R14 V1/V2/V3 all covered
- ADR-029 directly amended
Honest scope:
- Synthetic physics; bench validation pending
- Single room geometry baseline (5x5 + 4x6 m)
- 5 cm pose-tracker noise assumed
- Free-space, no multipath/furniture occlusion
- Greedy + 4-restart search
ADR chain after this tick (loop's 6 new ADRs + 3 existing):
105/106/107/108/109/113 + 100/103/104 = 9 ADRs in the full chain
(privacy + federation + provenance + placement).
Coordination: ticks/tick-31.md, no PROGRESS.md edit.
|
||
|
rUv
|
27d911ca6d |
adr-109: Dilithium PQC signatures — provenance side of post-quantum migration (#733)
Sister-ADR to ADR-108. Where ADR-108 closes the confidentiality side (Kyber key exchange), ADR-109 closes the integrity side (Dilithium signatures) of the post-quantum migration. Replaces Ed25519 in ADR-100 cog signing with Dilithium-3 (NIST FIPS 204, ~AES-192 equivalent, CNSA 2.0 default). Migration timeline (matches ADR-108): - Phase 0 (NOW 2026): Ed25519 only - Phase 1 (Q4 2026): Dual-sig (Ed25519 + Dilithium-3), accepts either - Phase 2 (Q2 2027): BOTH required (defence in depth) - Phase 3 (2030+): Pure Dilithium-3 Why now (backdating argument): An adversary who can break Ed25519 in 2035 with quantum computers can backdate signatures on cog binaries to install malicious code retroactively. The provenance chain breaks even for binaries deployed today. Hybrid mode prevents this: forging a 2026 cog signature still requires breaking BOTH Ed25519 AND Dilithium-3. Manifest size: 64 B (Ed25519) + 3293 B (Dilithium-3) = ~4 kB per cog. 50-cog catalogue overhead ~200 kB. Negligible. LOC: +270 on top of ADR-100. Combined chain budget (ADR-105+106+107+108+109): ~1,820 LOC, ~7 weeks. ADR CHAIN (8 ADRs) complete for both confidentiality and integrity at quantum-resistant tier: - ADR-100: cog packaging - ADR-103: cog-person-count - ADR-104: MCP + CLI - ADR-105: within-installation federation - ADR-106: DP-SGD + primitive isolation - ADR-107: cross-installation + secure aggregation - ADR-108: PQC key exchange (Kyber-768) - ADR-109: PQC signatures (Dilithium-3) <-- THIS Future ADRs catalogued: - ADR-110: PQC hardware acceleration on Cognitum-v0 - ADR-111: Owner key rotation policy - ADR-112: Cross-signing with external CA - ADR-113: Multistatic placement strategy (R6 family findings -> ADR-029 amendment) Composes: - R14/R15 privacy + biometric requires provenance integrity - R12 PABS / R12.1: intruder-detection cog must itself be signed - R10/R11 long-deployment cogs most affected by backdating - R7 mincut adversarial assumes the model is trustworthy Honest scope: - Dilithium ~5 years old; hybrid mitigates uncertainty - ESP32-S3 verification ~5-10 ms estimated; needs benchmarking - pqcrypto-dilithium Rust crate dependency - Owner key management = highest-risk operational change - Phase 3 Ed25519 retirement needs future decision Coordination: ticks/tick-30.md, no PROGRESS.md edit. |
||
|
rUv
|
50a7c4a645 |
research(R12.1): pose-PABS closed loop — 9.36x intruder lift; R12 arc fully closed (#732)
Closes the deferred item from R12 PABS (tick 19): 'real production
needs pose-aware forward model updating in real-time'. R12.1 implements
the closed loop in synthetic form.
Method: 50-frame walking subject + intruder entering at T=25. Compare
two PABS pipelines:
(a) Fixed-expected (R12 PABS naive)
(b) Pose-updated (R12.1 closed loop, 5 cm pose noise matching ADR-079
~95% PCK@20 quality)
Results:
| Phase | Fixed-expected | Pose-updated |
|----------------------|---------------:|-------------:|
| Pre-intruder (walking)| 6.02 | 0.30 |
| Post-intruder | 7.76 | 2.84 |
| Intruder lift | 1.29x | 9.36x |
Pose updates suppress subject-motion noise by 20x (6.02 -> 0.30),
leaving the intruder as a clean 9.36x spike. False-alarm problem
from R12 PABS RESOLVED.
R12 thread fully closed (3 ticks):
- R12 (tick 5): NEGATIVE SVD eigenshift 0.69x signal/drift
- R12 PABS (19): POSITIVE 1161x intruder detection (static)
- R12.1 (this): CLOSED 9.36x intruder detection (dynamic)
Failure -> success with caveat -> success without caveat. The
multi-tick arc that justifies a long research loop.
Production roadmap (~80 LOC + 30 LOC plumbing):
let pose = pose_tracker.estimate(csi_window)?;
let expected_scene = body_model.from_pose(pose) + room_walls;
let y_predicted = fresnel_forward.simulate(expected_scene);
let pabs = (csi_window - y_predicted).norm_sq() / csi_window.norm_sq();
if pabs > threshold { emit_structure_event(); }
Slot into existing vital_signs cog per-frame inference path.
Composes:
- R6.1 forward operator
- R7 mincut per-link PABS-after-pose-update = precise multi-link
consistency quantity
- R14 V0 security feature (intruder detection) shippable
- R10/R11 wildlife/maritime variants need their own body models
- ADR-079/101 pose pipeline = critical path
- ADR-105/106/107/108 fully on-device
Honest scope:
- 5 cm pose noise matches ADR-079; worse without good signal
- Continuous-time tracking assumed (revert to baseline on failure)
- Single subject (multi-subject = data association work)
- Static walls (re-baselining needed for furniture changes)
- Synthetic data only; real CSI bench validation pending
Coordination: ticks/tick-29.md, no PROGRESS.md edit.
After this tick, all research-loop work substantively complete:
- 13 research threads (R1, R3, R5-R15)
- 4 ADRs in privacy chain (105, 106, 107, 108)
- 3 negative-result categories
- 2 explicit self-corrections
- 3 honest-scope findings
- 9-tick R6 placement family
- 3-tick R3 cross-room re-ID arc
- 3-tick R12 structure detection arc
|
||
|
rUv
|
40e5a4d6f2 |
adr-108: Kyber post-quantum key exchange for cross-installation federation (#731)
Closes the quantum-resistance gap explicitly deferred from ADR-107. Final ADR in the privacy + federation chain. Replaces DH key exchange in ADR-107's Layer 4 secure aggregation with Kyber-768 KEM (NIST FIPS 203, CNSA 2.0 default). Migration timeline: - Phase 0 (NOW 2026): Classical X25519 (ADR-107 default) - Phase 1 (2026-Q4 -> 2027): Kyber-768 opt-in via --enable-pqc flag - Phase 2 (2027-Q2 -> 2028): Hybrid (X25519 + Kyber-768) becomes default - Phase 3 (2030+): Pure Kyber-768 (classical retired) Why hybrid for Phase 2 (belt-and-braces): - Protects against future Kyber breaks (Kyber is ~5 years old) - Protects against classical breaks (X25519 backup) - Protects against implementation bugs in either primitive - Cost: ~3 kB/round/installation extra (negligible) Why now (record-now-decrypt-later): Adversaries can record federated updates today and decrypt them in 2035 when quantum capabilities arrive. Without ADR-108, the (epsilon, delta) guarantees of ADR-106 silently expire when quantum computers arrive. Proactive migration is cheap insurance. Why Kyber-768 (not 512 or 1024): - NIST FIPS 203 (2024); ~AES-192 equivalent - CNSA 2.0 recommended default - Used by Cloudflare, Google, AWS in 2024-2026 rollouts - Public key 1184 B, ciphertext 1088 B, secret 32 B - 512 lacks CNSA 2.0 sign-off; 1024 doubles bandwidth without benefit LOC: +220 on top of ADR-107. Total federation budget ADR-105+106+107+108: ~1,550 LOC. Threat model: 8 threats, every row has mitigation. Hybrid mode is the belt-and-braces against both Kyber breaks AND classical breaks. ADR CHAIN COMPLETE: 7 ADRs in the privacy + federation chain: ADR-100 (cog packaging) -> ADR-103 (cog example) -> ADR-104 (MCP/CLI) -> ADR-105 (within-installation federation) -> ADR-106 (DP + isolation) -> ADR-107 (cross-installation + SA) -> ADR-108 (PQC key exchange). No remaining unspecified privacy gap at any threat horizon (classical or quantum). Future ADRs catalogued: - ADR-109: PQC signatures (Dilithium replaces Ed25519 in ADR-100) - ADR-110: PQC hardware acceleration on Cognitum-v0 - ADR-111: PQC for cog-store distribution Composes: - R3 / R14 / R15 / R7 / R12 PABS: privacy chain intact through quantum transition - R10 / R11 (long-deployment): benefit most from forward secrecy as data ages Honest scope: - Kyber ~5 years old; hybrid mitigates uncertainty - 'When do we need this?' uncertain (2030 aggressive / 2050+ conservative) - ESP32-S3 timing ~10 ms per handshake estimated negligible; needs measurement - Phase 3 retirement of classical needs future decision Coordination: ticks/tick-28.md, no PROGRESS.md edit. |