merge: main into adr-110-esp32c6 — resolve lib.rs / esp32_parser / tracker_bridge conflicts

3 conflict points, all clean resolutions:

  v2/crates/wifi-densepose-hardware/src/lib.rs
    Conflict 1: mod declarations.
      HEAD added `pub mod sync_packet;` (iter 14).
      main re-ordered the existing mods alphabetically.
      Resolution: take main's ordering + append sync_packet at the end.

    Conflict 2: re-exports.
      HEAD added `pub use sync_packet::{SyncPacket, …}` block (iter 14).
      main moved bridge::CsiData earlier.
      Resolution: keep main's CsiData position; add my sync_packet
      re-export immediately before the radio_ops re-export.

  v2/crates/wifi-densepose-hardware/src/esp32_parser.rs
    HEAD has ADR-110 byte 18-19 PpduType + Adr018Flags parsing (iter 14).
    main still has the pre-ADR-110 "Reserved (offset 18, 2 bytes)" skip.
    Resolution: take HEAD — main hasn't pulled in ADR-110 work yet,
    that's exactly why this PR exists.

  v2/crates/wifi-densepose-sensing-server/src/tracker_bridge.rs
    HEAD has my iter-35 import cleanup (use { TrackLifecycleState, TrackId,
    NUM_KEYPOINTS }).
    main has the equivalent cleanup with a different import ordering
    (use { TrackId, TrackLifecycleState, NUM_KEYPOINTS }) + the
    pose_tracker::PoseTracker import on the line above.
    Resolution: take main's version — same end state, no behavioral
    difference, less diff churn.

Verification:
  cargo check -p wifi-densepose-hardware -p wifi-densepose-sensing-server
    --no-default-features → green
  cargo test -p wifi-densepose-hardware --no-default-features --lib sync_packet
    → 15/15 passed (122 filtered)

The 38-iter ADR-110 work is intact post-merge.

Co-Authored-By: claude-flow <ruv@ruv.net>

.claude-flow/daemon-state.json

@@ -1,55 +1,50 @@
 {
   "running": true,
-  "startedAt": "2026-05-24T22:26:25.030Z",
+  "startedAt": "2026-03-09T15:26:00.921Z",
   "workers": {
     "map": {
-      "runCount": 64,
-      "successCount": 64,
+      "runCount": 49,
+      "successCount": 49,
       "failureCount": 0,
-      "averageDurationMs": 136.171875,
-      "lastRun": "2026-05-25T06:07:33.387Z",
-      "lastStartedAt": "2026-05-25T06:07:33.381Z",
-      "nextRun": "2026-05-25T06:26:25.410Z",
+      "averageDurationMs": 1.2857142857142858,
+      "lastRun": "2026-02-28T16:13:19.194Z",
+      "nextRun": "2026-03-09T15:56:00.928Z",
       "isRunning": false
     },
     "audit": {
-      "runCount": 72,
-      "successCount": 27,
+      "runCount": 45,
+      "successCount": 0,
       "failureCount": 45,
-      "averageDurationMs": 26260.11111111111,
-      "lastRun": "2026-05-25T06:08:29.594Z",
-      "lastStartedAt": "2026-05-25T06:07:33.416Z",
-      "nextRun": "2026-05-25T06:18:32.928Z",
+      "averageDurationMs": 0,
+      "lastRun": "2026-03-09T15:43:00.933Z",
+      "nextRun": "2026-03-09T15:38:00.914Z",
       "isRunning": false
     },
     "optimize": {
-      "runCount": 54,
-      "successCount": 9,
-      "failureCount": 45,
-      "averageDurationMs": 40303.377578766485,
-      "lastRun": "2026-05-25T05:59:05.330Z",
-      "lastStartedAt": "2026-05-25T05:54:05.318Z",
-      "nextRun": "2026-05-25T06:20:15.145Z",
+      "runCount": 34,
+      "successCount": 0,
+      "failureCount": 34,
+      "averageDurationMs": 0,
+      "lastRun": "2026-02-28T16:23:19.387Z",
+      "nextRun": "2026-03-09T15:45:00.915Z",
       "isRunning": false
     },
     "consolidate": {
-      "runCount": 32,
-      "successCount": 32,
+      "runCount": 23,
+      "successCount": 23,
       "failureCount": 0,
-      "averageDurationMs": 4.71875,
-      "lastRun": "2026-05-25T05:38:20.449Z",
-      "lastStartedAt": "2026-05-25T05:38:20.443Z",
-      "nextRun": "2026-05-25T06:32:25.248Z",
+      "averageDurationMs": 0.6521739130434783,
+      "lastRun": "2026-02-28T16:05:19.091Z",
+      "nextRun": "2026-03-09T16:02:00.918Z",
       "isRunning": false
     },
     "testgaps": {
-      "runCount": 100,
-      "successCount": 63,
-      "failureCount": 37,
-      "averageDurationMs": 108604.0537328991,
-      "lastRun": "2026-05-25T06:11:52.529Z",
-      "lastStartedAt": "2026-05-25T06:07:33.390Z",
-      "nextRun": "2026-05-25T06:14:25.296Z",
+      "runCount": 27,
+      "successCount": 0,
+      "failureCount": 27,
+      "averageDurationMs": 0,
+      "lastRun": "2026-02-28T16:08:19.369Z",
+      "nextRun": "2026-03-09T15:54:00.920Z",
       "isRunning": false
     },
     "predict": {
@@ -69,8 +64,8 @@
   },
   "config": {
     "autoStart": false,
-    "logDir": "C:\\Users\\ruv\\Projects\\wifi-densepose\\.claude-flow\\logs",
-    "stateFile": "C:\\Users\\ruv\\Projects\\wifi-densepose\\.claude-flow\\daemon-state.json",
+    "logDir": "/Users/cohen/GitHub/ruvnet/RuView/.claude-flow/logs",
+    "stateFile": "/Users/cohen/GitHub/ruvnet/RuView/.claude-flow/daemon-state.json",
     "maxConcurrent": 2,
     "workerTimeoutMs": 300000,
     "resourceThresholds": {
@@ -136,5 +131,5 @@
       }
     ]
   },
-  "savedAt": "2026-05-25T06:11:52.530Z"
+  "savedAt": "2026-03-09T15:43:00.933Z"
 }

.claude-flow/horizons/aether-arena-aa.json

@@ -1,119 +0,0 @@
-{
-  "id": "aether-arena-aa",
-  "name": "AetherArena (AA) — Official Spatial-Intelligence Benchmark",
-  "adr": "ADR-149",
-  "adrPath": "docs/adr/ADR-149-public-community-leaderboard-huggingface.md",
-  "status": "Accepted",
-  "initializedDate": "2026-05-30",
-  "targetDate": "2026-08-31",
-  "exitCriteria": "Benchmark INFRASTRUCTURE done, tested, CI-gated, deploy-ready: aa_score_runner.rs passes deterministic fixture test; CI harness-gate green on every PR; aether-arena repo scaffold committed (README four-part framing + aa-submission.toml schema + VERIFY.md); public smoke split committed; HF Space lifecycle skeleton deployed; signed Parquet ledger functional; RuView baseline PCK@20 ~2.5% entered; ADR-149 §7 acceptance test (five-step stranger test) passes. NOTE: ML SOTA (MM-Fi PCK@20 ~72%) is a separate long-running stretch goal blocked on ADR-079 camera-ground-truth — it is NOT an infra exit criterion.",
-  "baselineState": {
-    "adrStatus": "Accepted, committed 2026-05-30",
-    "scorerCode": "ruview_metrics.rs + ablation.rs + proof.rs exist in wifi-densepose-train; aa_score_runner.rs not yet created",
-    "aetherArenaRepo": "does not exist yet — needs user authorization to create ruvnet/aether-arena public repo",
-    "hfSpace": "does not exist yet — needs HF_TOKEN and user authorization to deploy ruvnet/aether-arena HF Space",
-    "smokeDataset": "not committed",
-    "resultsLedger": "not created",
-    "ruviewBaseline": "PCK@20 ~2.5% self-reported, not formally entered",
-    "ciGate": "not added to workflow"
-  },
-  "milestones": {
-    "m1": {
-      "name": "ADR-149 Accepted + committed",
-      "status": "DONE",
-      "completedDate": "2026-05-30",
-      "completionCriteria": "ADR-149 file committed to docs/adr/ with status Accepted",
-      "notes": "Done this session. File at docs/adr/ADR-149-public-community-leaderboard-huggingface.md"
-    },
-    "m2": {
-      "name": "Deterministic scorer runner bin (aa_score_runner.rs)",
-      "status": "NOT_STARTED",
-      "completionCriteria": "aa_score_runner.rs compiles, runs ruview_metrics on a committed fixture, emits RuViewTier + SHA-256 proof hash, mirrors existing *_proof_runner.rs pattern; cargo test passes",
-      "estimatedEffort": "3-5 days",
-      "owner": "wifi-densepose-train crate or new aa-scorer crate"
-    },
-    "m3": {
-      "name": "CI harness-gate: GitHub Actions workflow",
-      "status": "NOT_STARTED",
-      "completionCriteria": "A GitHub Actions workflow runs aa_score_runner on every PR as a build gate; PR fails if scorer fails determinism check; workflow committed and green",
-      "estimatedEffort": "2-3 days",
-      "dependency": "M2 must be done first"
-    },
-    "m4": {
-      "name": "aether-arena repo scaffold",
-      "status": "NOT_STARTED",
-      "completionCriteria": "ruvnet/aether-arena repo created with: README (four-part framing: Public leaderboard / Private eval split / Open scorer / Signed results); aa-submission.toml manifest schema; VERIFY.md (ADR-149 §7 stranger acceptance test); neutrality/governance section (§2.8); contribution guide",
-      "estimatedEffort": "3-5 days",
-      "blockers": ["Needs user authorization to create public ruvnet/aether-arena repo on GitHub"]
-    },
-    "m5": {
-      "name": "Public smoke split committed + private MM-Fi held-out split prep",
-      "status": "NOT_STARTED",
-      "completionCriteria": "Public smoke split committed to aether-arena repo (stranger can score locally); private MM-Fi held-out split prepared under non-public path with CC BY-NC 4.0 attribution; Wi-Pose explicitly excluded from v0",
-      "estimatedEffort": "5-7 days",
-      "riskNotes": "MM-Fi CC BY-NC 4.0: AA must remain non-commercial and carry MM-Fi attribution; raw frames stay in private split; only derived CSI features + scores may be exposed"
-    },
-    "m6": {
-      "name": "HF Space (Gradio) skeleton",
-      "status": "BLOCKED",
-      "completionCriteria": "HF Space deployed at ruvnet/aether-arena with submission lifecycle (submitted->validated->quarantined->smoke_scored->full_scored->published/rejected); sandboxed scorer container wired; basic leaderboard table rendered",
-      "estimatedEffort": "7-10 days",
-      "blockers": [
-        "Needs HF_TOKEN — check .env for HF_TOKEN or HUGGINGFACE_TOKEN",
-        "Needs user authorization to create/deploy ruvnet/aether-arena HF Space (outward-facing public deployment)"
-      ]
-    },
-    "m7": {
-      "name": "Signed append-only Parquet results ledger",
-      "status": "NOT_STARTED",
-      "completionCriteria": "HF dataset ruvnet/aether-arena-results created; append-only Parquet ledger with signed rows; determinism_gate enforced; no row can be silently edited",
-      "estimatedEffort": "3-5 days",
-      "ledgerSchema": "submitter, model_ref, category, feature_set, tier, pck20, oks, mota, vitals_bpm_err, latency_p50, latency_p95, privacy_leakage, cross_room_deg, proof_sha256, scored_at, harness_version",
-      "dependency": "M6 must be scaffolded first"
-    },
-    "m8": {
-      "name": "RuView baseline entry + public launch",
-      "status": "NOT_STARTED",
-      "completionCriteria": "RuView wifi-densepose-pretrained baseline entered (honest PCK@20 ~2.5%); ADR-149 §7 five-step stranger acceptance test passes; v0 live with Presence + Pose + Edge-latency + Determinism categories active; Privacy and Cross-room shown as gated/coming-soon",
-      "estimatedEffort": "3-5 days",
-      "dependency": "M4+M5+M6+M7 complete",
-      "notes": "ML SOTA improvement (PCK@20 ~72%) is a SEPARATE stretch goal blocked on ADR-079 P7-P9 camera ground truth. NOT a blocker for infra launch."
-    }
-  },
-  "activeMilestone": "m2",
-  "completedMilestones": ["m1"],
-  "knownRisks": [
-    "HF_TOKEN not confirmed present in .env — check before M6 work begins",
-    "ruvnet/aether-arena public repo creation is outward-facing — needs explicit user authorization",
-    "MM-Fi CC BY-NC 4.0: AA must stay legally non-commercial and brand-distinct from commercial RuView product; or seek MM-Fi commercial grant before any paid tier",
-    "Wi-Pose has research-use-only terms (no redistribution grant) — excluded from v0; revisit only if terms are clarified with authors",
-    "HF Space free CPU tier may be too slow for Candle/tch inference pipeline — may need ZeroGPU or self-hosted scorer on cognitum-20260110 GCloud A100/L4",
-    "ADR-079 camera-ground-truth (PCK@20 SOTA) is P7-P9 pending — NOT an infra blocker; must not be conflated with AA infra completion",
-    "Neutrality/governance risk: RuView seeded the scorer — must be demonstrably scored through the same public pipeline as any other entrant (§2.8 controls)"
-  ],
-  "driftSignals": {
-    "timeline": "GREEN — just initialized, no timeline pressure yet",
-    "scope": "GREEN — scope locked at four-part structure per ADR-149 §2 decision",
-    "approach": "GREEN — reuse pattern (existing ruview_metrics + proof.rs) confirmed in ADR-149",
-    "dependency": "YELLOW — HF_TOKEN and ruvnet/aether-arena repo authorization are external blockers with unknown ETA",
-    "priority": "GREEN — active feature branch feat/adr-136-146-streaming-engine in progress; AA infra can proceed in parallel on its own branch"
-  },
-  "stretchGoals": {
-    "sotaML": "MM-Fi PCK@20 SOTA ~72% — separate ML effort blocked on ADR-079 P7-P9 camera-ground-truth data collection; NOT an infra exit criterion",
-    "privacyAxis": "ADR-145 §10 membership-inference attacker — activate Privacy leaderboard axis once attacker is implemented and published",
-    "crossRoom": "Multi-room held-out split — activate Cross-room generalization axis",
-    "multiOrgSteering": "Invite co-maintainers from other projects once >=N external entries land"
-  },
-  "sessionHistory": [
-    {
-      "date": "2026-05-30",
-      "type": "initialization",
-      "accomplished": [
-        "ADR-149 Accepted and committed to docs/adr/",
-        "Horizon record initialized in .claude-flow/horizons/aether-arena-aa.json",
-        "Memory stored in horizons namespace under key horizon-aether-arena-aa",
-        "Session check-in record stored in horizon-sessions namespace"
-      ]
-    }
-  ]
-}

.claude-flow/metrics/codebase-map.json

@@ -1,11 +1,11 @@
 {
-  "timestamp": "2026-05-25T06:07:33.385Z",
-  "projectRoot": "C:\\Users\\ruv\\Projects\\wifi-densepose",
+  "timestamp": "2026-02-28T16:13:19.193Z",
+  "projectRoot": "/home/user/wifi-densepose",
   "structure": {
     "hasPackageJson": false,
     "hasTsConfig": false,
     "hasClaudeConfig": true,
     "hasClaudeFlow": true
   },
-  "scannedAt": 1779689253386
+  "scannedAt": 1772295199193
 }

.claude-flow/metrics/consolidation.json

@@ -1,5 +1,5 @@
 {
-  "timestamp": "2026-05-25T05:38:20.448Z",
+  "timestamp": "2026-02-28T16:05:19.091Z",
   "patternsConsolidated": 0,
   "memoryCleaned": 0,
   "duplicatesRemoved": 0

.claude-flow/metrics/performance.json

@@ -1,17 +0,0 @@
-{
-  "timestamp": "2026-05-25T05:59:05.405Z",
-  "mode": "local",
-  "memoryUsage": {
-    "rss": 9891840,
-    "heapTotal": 35598336,
-    "heapUsed": 26516560,
-    "external": 3952418,
-    "arrayBuffers": 55689
-  },
-  "uptime": 27163.5846658,
-  "optimizations": {
-    "cacheHitRate": 0.78,
-    "avgResponseTime": 45
-  },
-  "note": "Install Claude Code CLI for AI-powered optimization suggestions"
-}

.claude-flow/metrics/security-audit.json

@@ -1,84 +1,12 @@
 {
-  "timestamp": "2026-05-25T06:08:29.589Z",
-  "mode": "headless",
-  "workerType": "audit",
-  "model": "haiku",
-  "durationMs": 56168,
-  "executionId": "audit_1779689253421_dfflmb",
-  "success": true,
-  "findings": {
-    "vulnerabilities": [
-      {
-        "severity": "high",
-        "file": ".claude/helpers/github-safe.js",
-        "line": 50,
-        "description": "Command injection vulnerability in execSync call. User-controlled arguments in `newArgs` are joined without shell escaping. An attacker can inject shell metacharacters (e.g., `; rm -rf /`) via the body content or through command/subcommand parameters. The temp file approach is safe, but the command construction `gh ${command} ${subcommand} ${newArgs.join(' ')}` allows shell injection.",
-        "example": "gh issue comment 123 'test`whoami`' would execute whoami"
-      },
-      {
-        "severity": "high",
-        "file": "scripts/csi-spectrogram.js",
-        "line": 45,
-        "description": "Sensitive credential exposure via command-line arguments. The `--seed-token` parameter is passed as a CLI argument, which is visible in process listings (ps aux output). This violates secure credential handling practices. Tokens should be read from environment variables or secure config files, not command-line args.",
-        "example": "node scripts/csi-spectrogram.js --seed-token secret_abc_123 exposes token in process list"
-      },
-      {
-        "severity": "medium",
-        "file": "scripts/apnea-detector.js",
-        "line": 71,
-        "description": "Unsafe buffer reading without comprehensive length validation. The code checks `buf.length` at 32 bytes (line 70) but then reads at fixed offsets (lines 72-76) without validating that each read stays within bounds. If a malformed packet is received, `readInt8/readUInt16LE/readUInt32LE` may read unintended data or zeros.",
-        "example": "A 33-byte buffer would pass the check but reading UInt32LE at offset 8 would go out of bounds"
-      },
-      {
-        "severity": "medium",
-        "file": "scripts/benchmark-rf-scan.js",
-        "line": 110,
-        "description": "Potential out-of-bounds buffer access in parseCSIFrame. While the bounds check at line 107 is present, the `nSubcarriers` value from the packet is used to calculate required buffer size without validation of the value itself. A maliciously crafted packet with extremely large nSubcarriers could cause memory issues.",
-        "example": "Packet with nSubcarriers=999999 would request excessive buffer allocation"
-      },
-      {
-        "severity": "medium",
-        "file": "scripts/csi-spectrogram.js",
-        "line": 39,
-        "description": "Unsafe URL construction with untrusted `seed-url` parameter. The `--seed-url` argument is used directly for HTTPS requests without validation. This could allow SSRF (Server-Side Request Forgery) or DNS rebinding attacks if an attacker controls the seed URL.",
-        "example": "node scripts/csi-spectrogram.js --seed-url http://internal.local:9000 could access internal services"
-      },
-      {
-        "severity": "low",
-        "file": ".claude/helpers/statusline.js",
-        "line": 140,
-        "description": "Shell command injection risk in execSync calls. Commands like `ps aux 2>/dev/null | grep -c agentic-flow` use grep patterns that could be vulnerable if any variables are interpolated (though currently hardcoded). The `execSync` with shell=true is generally risky.",
-        "example": "If any pattern becomes user-controlled: `grep -c ${pattern}` could inject shell metacharacters"
-      },
-      {
-        "severity": "low",
-        "file": ".claude/helpers/memory.js",
-        "line": 10,
-        "description": "Unvalidated JSON parsing. The code parses JSON from MEMORY_FILE without try-catch in the loadMemory function (catches error but doesn't validate structure). Malformed JSON or corrupted memory file could cause issues.",
-        "example": "Memory file with circular JSON structure could cause issues when stringifying"
-      },
-      {
-        "severity": "low",
-        "file": "scripts/device-fingerprint.js",
-        "line": 72,
-        "description": "Hardcoded device fingerprints and network configuration. While not a traditional 'hardcoded secret', the KNOWN_DEVICES array contains identifiable SSIDs and MAC addresses that could be used to correlate network infrastructure. This data should be externalized or sanitized.",
-        "example": "SSID 'ruv.net' and 'Cohen-Guest' could identify specific installations"
-      }
-    ],
-    "riskScore": 42,
-    "recommendations": [
-      "**CRITICAL**: Replace `execSync` command construction in github-safe.js with proper shell escaping using `child_process.execFile()` instead of `execSync()`, or use the `shell: false` option with array arguments to avoid shell parsing entirely.",
-      "**CRITICAL**: Move `--seed-token` from CLI arguments to environment variable `SEED_TOKEN` in csi-spectrogram.js. Update documentation to instruct users: `export SEED_TOKEN=...` instead of passing via CLI.",
-      "**HIGH**: Add comprehensive buffer bounds validation in all UDP packet parsing functions (apnea-detector.js, benchmark-rf-scan.js, etc.). Validate both the buffer length AND the parsed header values before using them in calculations.",
-      "**HIGH**: Validate and sanitize the `--seed-url` parameter in csi-spectrogram.js. Whitelist allowed domains or restrict to localhost/internal IPs only. Add URL scheme validation (https only).",
-      "**MEDIUM**: Replace hardcoded device fingerprints (KNOWN_DEVICES) with externalized configuration or environment variables. Document that this data contains identifiable network information.",
-      "**MEDIUM**: Add input validation to `parseArgs()` results in all scripts. Validate numeric ranges, file paths, and enum values before use.",
-      "**LOW**: Wrap JSON.parse() calls in try-catch blocks throughout (memory.js, session.js) with explicit error handling and recovery.",
-      "**LOW**: Audit all uses of `require()` with dynamic paths. Ensure paths are always derived from fixed `__dirname` and not user-controlled.",
-      "**LOW**: Remove or sandbox the ability to pass arbitrary URLs via CLI. Consider using a configuration file (YAML/JSON) for endpoint URLs instead.",
-      "**INFO**: Add a pre-commit hook to detect hardcoded credentials using tools like `detect-secrets` or `truffleHog`."
-    ]
+  "timestamp": "2026-03-06T13:17:27.368Z",
+  "mode": "local",
+  "checks": {
+    "envFilesProtected": true,
+    "gitIgnoreExists": true,
+    "noHardcodedSecrets": true
   },
-  "rawOutputPreview": "# Security Audit Report — wifi-densepose\n\n```json\n{\n  \"vulnerabilities\": [\n    {\n      \"severity\": \"high\",\n      \"file\": \".claude/helpers/github-safe.js\",\n      \"line\": 50,\n      \"description\": \"Command injection vulnerability in execSync call. User-controlled arguments in `newArgs` are joined without shell escaping. An attacker can inject shell metacharacters (e.g., `; rm -rf /`) via the body content or through command/subcommand parameters. The temp file approach is safe, but the command construction `gh ${command} ${subcommand} ${newArgs.join(' ')}` allows shell injection.\",\n      \"example\": \"gh issue comment 123 'test`whoami`' would execute whoami\"\n    },\n    {\n      \"severity\": \"high\",\n      \"file\": \"scripts/csi-spectrogram.js\",\n      \"line\": 45,\n      \"description\": \"Sensitive credential exposure via command-line arguments. The `--seed-token` parameter is passed as a CLI argument, which is visible in process listings (ps aux output). This violates secure credential handling practices. Tokens should be read from environment variables or secure config files, not command-line args.\",\n      \"example\": \"node scripts/csi-spectrogram.js --seed-token secret_abc_123 exposes token in process list\"\n    },\n    {\n      \"severity\": \"medium\",\n      \"file\": \"scripts/apnea-detector.js\",\n      \"line\": 71,\n      \"description\": \"Unsafe buffer reading without comprehensive length validation. The code checks `buf.length` at 32 bytes (line 70) but then reads at fixed offsets (lines 72-76) without validating that each read stays within bounds. If a malformed packet is received, `readInt8/readUInt16LE/readUInt32LE` may read unintended data or zeros.\",\n      \"example\": \"A 33-byte buffer would pass the check but reading UInt32LE at offset 8 would go out of bounds\"\n    },\n    {\n      \"severity\": \"medium\",\n      \"file\": \"scripts/benchmark-rf-scan.js\",\n      \"line\": 110,\n      \"description\": \"Potential out-of-bounds buffer access in parseCSIFrame. While the bounds check at line 107 is pres",
-  "rawOutputLength": 7077
+  "riskLevel": "low",
+  "recommendations": [],
+  "note": "Install Claude Code CLI for AI-powered security analysis"
 }

.claude-flow/metrics/test-gaps.json

@@ -1,106 +0,0 @@
-{
-  "timestamp": "2026-05-25T06:11:52.519Z",
-  "mode": "headless",
-  "workerType": "testgaps",
-  "model": "sonnet",
-  "durationMs": 259124,
-  "executionId": "testgaps_1779689253395_srltd5",
-  "success": true,
-  "findings": {
-    "sections": [
-      {
-        "title": "Test Coverage Gap Analysis — wifi-densepose",
-        "content": "\n",
-        "level": 2
-      },
-      {
-        "title": "Coverage Summary by Crate",
-        "content": "\n| Crate | Tests Found | Status | Priority |\n|-------|-------------|--------|----------|\n| `wifi-densepose-core` | 26 inline | Good | Low |\n| `wifi-densepose-signal` | ~60 (validation only) | Moderate | **High** |\n| `wifi-densepose-nn` | **0** | Critical | **P1** |\n| `wifi-densepose-train` | ~60 (config/dataset) | Moderate | High |\n| `wifi-densepose-mat` | 1 integration test | Critical | **P1** |\n| `wifi-densepose-ruvector` | **0** | Critical | **P1** |\n| `wifi-densepose-sensing-server` | 4 integration tests | Moderate | High |\n| `wifi-densepose-wasm` | 3 compliance tests | Low | Low |\n\n---\n\n",
-        "level": 3
-      },
-      {
-        "title": "Tier 1: Critical Gaps",
-        "content": "\n",
-        "level": 2
-      },
-      {
-        "title": "1. `wifi-densepose-nn` — Zero test coverage",
-        "content": "\nEvery public API is untested. Place these at `v2/crates/wifi-densepose-nn/tests/inference_tests.rs`:\n\n```rust\n// v2/crates/wifi-densepose-nn/tests/inference_tests.rs\n\n#[cfg(test)]\nmod tensor_tests {\n    use wifi_densepose_nn::tensor::Tensor;\n\n    #[test]\n    fn tensor_shape_mismatch_returns_error() {\n        // data has 6 elements but shape claims 3×3=9\n        let result = Tensor::new(vec![1.0f32; 6], &[3, 3]);\n        assert!(result.is_err(), \"shape mismatch must be rejected\");\n    }\n\n    #[test]\n    fn tensor_empty_data_returns_error() {\n        let result = Tensor::new(vec![], &[0]);\n        assert!(result.is_err());\n    }\n\n    #[test]\n    fn tensor_nan_values_are_detected() {\n        let t = Tensor::new(vec![f32::NAN, 1.0, 2.0], &[3]).unwrap();\n        assert!(t.has_nan(), \"NaN in data must be detectable\");\n    }\n\n    #[test]\n    fn tensor_inf_values_are_detected() {\n        let t = Tensor::new(vec![f32::INFINITY, 1.0], &[2]).unwrap();\n        assert!(t.has_inf());\n    }\n}\n\n#[cfg(test)]\nmod modality_translator_tests {\n    use wifi_densepose_nn::translator::ModalityTranslator;\n\n    #[test]\n    fn translator_rejects_wrong_subcarrier_count() {\n        // standard expects 56 subcarriers; feed 57\n        let csi = vec![0.0f32; 57 * 3]; // 57 subcarriers × 3 antennas\n        let translator = ModalityTranslator::default();\n        let result = translator.translate(&csi, 57, 3);\n        assert!(result.is_err());\n    }\n\n    #[test]\n    fn translator_handles_all_zeros() {\n        let csi = vec![0.0f32; 56 * 3];\n        let translator = ModalityTranslator::default();\n        let result = translator.translate(&csi, 56, 3);\n        // zero input should produce some output without panic\n        assert!(result.is_ok());\n    }\n}\n\n#[cfg(test)]\nmod inference_engine_tests {\n    use wifi_densepose_nn::inference::InferenceEngine;\n\n    #[test]\n    fn load_nonexistent_model_returns_error() {\n        let result = InferenceEngine::from_path(\"/nonexistent/model.onnx\");\n        assert!(result.is_err());\n    }\n\n    #[test]\n    fn load_corrupted_bytes_returns_error() {\n        let tmp = tempfile::NamedTempFile::new().unwrap();\n        std::fs::write(tmp.path(), b\"not a valid onnx file\").unwrap();\n        let result = InferenceEngine::from_path(tmp.path());\n        assert!(result.is_err());\n    }\n\n    #[test]\n    fn batch_size_zero_returns_error() {\n        // can't run inference on an empty batch\n        // requires a valid model; skip if no model file in test fixtures\n        // use #[ignore] or a feature flag for CI\n    }\n}\n```\n\n---\n\n",
-        "level": 3
-      },
-      {
-        "title": "2. `wifi-densepose-mat` — Disaster response safety gaps",
-        "content": "\nPlace at `v2/crates/wifi-densepose-mat/tests/`:\n\n```rust\n// v2/crates/wifi-densepose-mat/tests/detection_edge_cases.rs\n\n#[cfg(test)]\nmod breathing_rate_edge_cases {\n    use wifi_densepose_mat::detection::breathing::BreathingDetector;\n\n    #[test]\n    fn zero_bpm_is_classified_critical() {\n        let detector = BreathingDetector::default();\n        // flat-line signal — no breathing detected\n        let signal = vec![0.0f32; 1000];\n        let result = detector.classify(&signal).unwrap();\n        assert_eq!(result.triage_category, TriageCategory::Immediate);\n    }\n\n    #[test]\n    fn agonal_breathing_rate_triggers_immediate() {\n        // < 6 BPM is agonal; simulate 3 BPM signal\n        let detector = BreathingDetector::default();\n        let signal = generate_breathing_signal(3.0, 1000, 100.0); // 3 BPM, 1000 samples @ 100 Hz\n        let result = detector.classify(&signal).unwrap();\n        assert_eq!(result.triage_category, TriageCategory::Immediate);\n    }\n\n    #[test]\n    fn normal_breathing_is_classified_minor() {\n        let detector = BreathingDetector::default();\n        let signal = generate_breathing_signal(15.0, 1000, 100.0); // 15 BPM\n        let result = detector.classify(&signal).unwrap();\n        assert_eq!(result.triage_category, TriageCategory::Minor);\n    }\n\n    #[test]\n    fn all_nan_signal_returns_error_not_panic() {\n        let detector = BreathingDetector::default();\n        let signal = vec![f32::NAN; 1000];\n        let result = detector.classify(&signal);\n        assert!(result.is_err(), \"NaN input must be caught, not panic\");\n    }\n\n    fn generate_breathing_signal(bpm: f32, samples: usize, sample_rate: f32) -> Vec<f32> {\n        let freq = bpm / 60.0;\n        (0..samples)\n            .map(|i| (2.0 * std::f32::consts::PI * freq * i as f32 / sample_rate).sin())\n            .collect()\n    }\n}\n\n#[cfg(test)]\nmod alert_deduplication {\n    use wifi_densepose_mat::alerting::{AlertDispatcher, Alert, TriageCategory};\n    use std::time::Duration;\n\n    #[test]\n    fn duplicate_alerts_within_window_are_suppressed() {\n        let mut dispatcher = AlertDispatcher::new();\n        let alert = Alert::new(\"survivor-1\", TriageCategory::Immediate);\n        dispatcher.dispatch(alert.clone());\n        dispatcher.dispatch(alert.clone()); // same survivor, same category\n        assert_eq!(dispatcher.queued_count(), 1, \"duplicate must be deduplicated\");\n    }\n\n    #[test]\n    fn escalation_from_minor_to_immediate_is_forwarded() {\n        let mut dispatcher = AlertDispatcher::new();\n        dispatcher.dispatch(Alert::new(\"survivor-1\", TriageCategory::Minor));\n        dispatcher.dispatch(Alert::new(\"survivor-1\", TriageCategory::Immediate));\n        // escalation is not a duplicate — must pass through\n        assert!(dispatcher.last_alert_for(\"survivor-1\").map(|a| a.category) == Some(TriageCategory::Immediate));\n    }\n}\n\n#[cfg(test)]\nmod kalman_tracker_edge_cases {\n    use wifi_densepose_mat::tracking::KalmanTracker;\n\n    #[test]\n    fn position_jump_does_not_corrupt_state() {\n        let mut tracker = KalmanTracker::new();\n        tracker.update([1.0, 1.0, 0.5]);  // initial position\n        tracker.update([50.0, 50.0, 0.5]); // physically impossible jump\n        let pos = tracker.estimated_position();\n        // should not panic; should clamp or flag anomaly\n        assert!(pos.iter().all(|v| v.is_finite()));\n    }\n\n    #[test]\n    fn lost_track_resumes_on_re_detection() {\n        let mut tracker = KalmanTracker::new();\n        tracker.update([1.0, 1.0, 0.5]);\n        // simulate 10 missed frames\n        for _ in 0..10 { tracker.predict(); }\n        assert_eq!(tracker.state(), TrackState::Lost);\n        tracker.update([1.1, 1.1, 0.5]); // re-detected nearby\n        assert_eq!(tracker.state(), TrackState::Confirmed);\n    }\n}\n```\n\n---\n\n",
-        "level": 3
-      },
-      {
-        "title": "3. `wifi-densepose-ruvector` — Zero coverage on all 5 integration modules",
-        "content": "\n```rust\n// v2/crates/wifi-densepose-ruvector/tests/viewpoint_tests.rs\n\n#[cfg(test)]\nmod attention_tests {\n    use wifi_densepose_ruvector::viewpoint::attention::CrossViewpointAttention;\n\n    #[test]\n    fn attention_weights_sum_to_one() {\n        let attn = CrossViewpointAttention::new(3); // 3 viewpoints\n        let features = vec![[1.0f32; 64], [2.0f32; 64], [3.0f32; 64]];\n        let weights = attn.compute_weights(&features);\n        let sum: f32 = weights.iter().sum();\n        assert!((sum - 1.0).abs() < 1e-5, \"attention must be a probability distribution\");\n    }\n\n    #[test]\n    fn single_viewpoint_gets_full_weight() {\n        let attn = CrossViewpointAttention::new(1);\n        let features = vec![[1.0f32; 64]];\n        let weights = attn.compute_weights(&features);\n        assert!((weights[0] - 1.0).abs() < 1e-6);\n    }\n\n    #[test]\n    fn zero_feature_vectors_do_not_produce_nan() {\n        let attn = CrossViewpointAttention::new(2);\n        let features = vec![[0.0f32; 64], [0.0f32; 64]];\n        let weights = attn.compute_weights(&features);\n        assert!(weights.iter().all(|w| w.is_finite()));\n    }\n}\n\n#[cfg(test)]\nmod sketch_tests {\n    use wifi_densepose_ruvector::sketch::WireSketch;\n\n    #[test]\n    fn round_trip_serialization() {\n        let sketch = WireSketch::from_keypoints(&[[0.5f32, 0.5], [0.3, 0.7]]);\n        let bytes = sketch.to_bytes();\n        let restored = WireSketch::from_bytes(&bytes).unwrap();\n        assert_eq!(sketch, restored);\n    }\n\n    #[test]\n    fn deserialize_truncated_bytes_returns_error() {\n        let sketch = WireSketch::from_keypoints(&[[0.5f32, 0.5]]);\n        let mut bytes = sketch.to_bytes();\n        bytes.truncate(bytes.len() / 2); // truncate halfway\n        assert!(WireSketch::from_bytes(&bytes).is_err());\n    }\n\n    #[test]\n    fn empty_keypoint_list_is_handled() {\n        let sketch = WireSketch::from_keypoints(&[]);\n        assert_eq!(sketch.keypoint_count(), 0);\n    }\n}\n```\n\n---\n\n",
-        "level": 3
-      },
-      {
-        "title": "Tier 2: Signal Processing Gaps",
-        "content": "\n",
-        "level": 2
-      },
-      {
-        "title": "4. `wifi-densepose-signal` — RuvSense module untested",
-        "content": "\n```rust\n// v2/crates/wifi-densepose-signal/tests/ruvsense_tests.rs\n\n#[cfg(test)]\nmod coherence_gate_tests {\n    use wifi_densepose_signal::ruvsense::coherence_gate::{CoherenceGate, GateDecision};\n\n    #[test]\n    fn high_coherence_signal_is_accepted() {\n        let gate = CoherenceGate::new(0.7); // threshold = 0.7\n        let decision = gate.evaluate(0.95);\n        assert_eq!(decision, GateDecision::Accept);\n    }\n\n    #[test]\n    fn low_coherence_signal_is_rejected() {\n        let gate = CoherenceGate::new(0.7);\n        let decision = gate.evaluate(0.3);\n        assert_eq!(decision, GateDecision::Reject);\n    }\n\n    #[test]\n    fn borderline_coherence_triggers_recalibrate() {\n        let gate = CoherenceGate::new(0.7);\n        let decision = gate.evaluate(0.68); // just below threshold\n        assert_eq!(decision, GateDecision::Recalibrate);\n    }\n}\n\n#[cfg(test)]\nmod phase_align_tests {\n    use wifi_densepose_signal::ruvsense::phase_align::PhaseAligner;\n\n    #[test]\n    fn phase_at_plus_pi_does_not_wrap_incorrectly() {\n        let aligner = PhaseAligner::new();\n        let phases = vec![std::f32::consts::PI - 0.001, std::f32::consts::PI + 0.001];\n        let aligned = aligner.align(&phases);\n        // jump across ±π boundary must be handled continuously\n        let diff = (aligned[1] - aligned[0]).abs();\n        assert!(diff < 0.01, \"phase jump at ±π must be < 0.01 rad after alignment\");\n    }\n\n    #[test]\n    fn single_phase_value_aligns_to_itself() {\n        let aligner = PhaseAligner::new();\n        let phases = vec![1.5f32];\n        let aligned = aligner.align(&phases);\n        assert_eq!(aligned.len(), 1);\n        assert!((aligned[0] - 1.5).abs() < 1e-6);\n    }\n\n    #[test]\n    fn empty_phase_array_returns_empty() {\n        let aligner = PhaseAligner::new();\n        let aligned = aligner.align(&[]);\n        assert!(aligned.is_empty());\n    }\n}\n\n#[cfg(test)]\nmod adversarial_detection_tests {\n    use wifi_densepose_signal::ruvsense::adversarial::AdversarialDetector;\n\n    #[test]\n    fn physically_impossible_amplitude_is_flagged() {\n        let detector = AdversarialDetector::new();\n        // WiFi amplitude cannot exceed hardware saturation level\n        let frame = vec![1e9f32; 56]; // absurdly large\n        assert!(detector.is_suspicious(&frame));\n    }\n\n    #[test]\n    fn normal_amplitude_range_passes() {\n        let detector = AdversarialDetector::new();\n        let frame = vec![0.5f32; 56]; // typical normalized value\n        assert!(!detector.is_suspicious(&frame));\n    }\n\n    #[test]\n    fn multi_link_inconsistency_is_detected() {\n        // link A reports body moving right; link B reports no motion\n        // physically inconsistent — flag as adversarial\n        let detector = AdversarialDetector::new();\n        let result = detector.check_multi_link_consistency(\n            &[1.0, 2.0, 3.0], // link A\n            &[0.0, 0.0, 0.0], // link B (no motion)\n        );\n        assert!(result.is_inconsistent());\n    }\n}\n```\n\n---\n\n",
-        "level": 3
-      },
-      {
-        "title": "Tier 2: Training Pipeline Gaps",
-        "content": "\n",
-        "level": 2
-      },
-      {
-        "title": "5. `wifi-densepose-train` — Geometry encoder and rapid adaptation untested",
-        "content": "\n```rust\n// v2/crates/wifi-densepose-train/tests/test_geometry.rs\n\n#[cfg(test)]\nmod film_layer_tests {\n    use wifi_densepose_train::geometry::FilmLayer;\n\n    #[test]\n    fn film_layer_output_shape_matches_input() {\n        let film = FilmLayer::new(64, 32); // 64-dim features, 32-dim condition\n        let features = vec![0.5f32; 64];\n        let condition = vec![1.0f32; 32];\n        let output = film.forward(&features, &condition).unwrap();\n        assert_eq!(output.len(), 64, \"FiLM output must match feature dimensionality\");\n    }\n\n    #[test]\n    fn film_layer_zero_condition_acts_as_identity() {\n        let film = FilmLayer::new(64, 32);\n        let features = vec![1.0f32; 64];\n        let zero_condition = vec![0.0f32; 32];\n        let output = film.forward(&features, &zero_condition).unwrap();\n        // scale=1, shift=0 → identity; output ≈ input\n        for (o, f) in output.iter().zip(features.iter()) {\n            assert!((o - f).abs() < 0.1, \"zero condition should approximate identity\");\n        }\n    }\n}\n\n// v2/crates/wifi-densepose-train/tests/test_rapid_adapt.rs\n\n#[cfg(test)]\nmod rapid_adaptation_tests {\n    use wifi_densepose_train::rapid_adapt::RapidAdapter;\n\n    #[test]\n    fn adapter_updates_on_single_sample() {\n        let mut adapter = RapidAdapter::new(5); // 5 adaptation steps\n        let csi_sample = vec![0.1f32; 56 * 3];\n        let pose_label = vec![0.5f32; 17 * 2]; // 17 keypoints × (x, y)\n        let result = adapter.adapt_step(&csi_sample, &pose_label);\n        assert!(result.is_ok());\n    }\n\n    #[test]\n    fn adapter_with_zero_steps_is_no_op() {\n        let adapter = RapidAdapter::new(0);\n        // 0 adaptation steps → weights unchanged\n        let initial_weights = adapter.clone_weights();\n        let _ = adapter.adapt_step(&vec![0.1f32; 168], &vec![0.5f32; 34]);\n        assert_eq!(adapter.clone_weights(), initial_weights);\n    }\n}\n```\n\n---\n\n",
-        "level": 3
-      },
-      {
-        "title": "Tier 3: Server Integration Gaps",
-        "content": "\n",
-        "level": 2
-      },
-      {
-        "title": "6. `wifi-densepose-sensing-server` — Auth and semantic analyzers",
-        "content": "\n```rust\n// v2/crates/wifi-densepose-sensing-server/tests/auth_tests.rs\n\n#[cfg(test)]\nmod bearer_auth_tests {\n    use wifi_densepose_sensing_server::auth::{BearerValidator, TokenError};\n\n    #[test]\n    fn missing_authorization_header_returns_unauthorized() {\n        let validator = BearerValidator::new(\"secret-token\");\n        let result = validator.validate(None);\n        assert!(matches!(result, Err(TokenError::Missing)));\n    }\n\n    #[test]\n    fn wrong_token_is_rejected() {\n        let validator = BearerValidator::new(\"correct-token\");\n        let result = validator.validate(Some(\"Bearer wrong-token\"));\n        assert!(matches!(result, Err(TokenError::Invalid)));\n    }\n\n    #[test]\n    fn malformed_header_without_bearer_prefix_is_rejected() {\n        let validator = BearerValidator::new(\"token\");\n        let result = validator.validate(Some(\"token\")); // missing \"Bearer \" prefix\n        assert!(matches!(result, Err(TokenError::Malformed)));\n    }\n\n    #[test]\n    fn correct_token_is_accepted() {\n        let validator = BearerValidator::new(\"correct-token\");\n        let result = validator.validate(Some(\"Bearer correct-token\"));\n        assert!(result.is_ok());\n    }\n}\n\n// v2/crates/wifi-densepose-sensing-server/tests/semantic_tests.rs\n\n#[cfg(test)]\nmod fall_detection_tests {\n    use wifi_densepose_sensing_server::semantic::fall_detector::FallDetector;\n\n    #[test]\n    fn no_motion_does_not_trigger_fall() {\n        let mut detector = FallDetector::new();\n        for _ in 0..30 { // 30 frames of stillness\n            detector.update_pose(stationary_pose());\n        }\n        assert!(!detector.fall_detected());\n    }\n\n    #[test]\n    fn rapid_downward_velocity_triggers_fall() {\n        let mut detector = FallDetector::new();\n        // simulate person going from standing (y=1.7m) to prone (y=0.3m) in 3 frames\n        for (frame, y) in [(0, 1.7f32), (1, 1.0), (2, 0.3)] {\n            detector.update_pose(pose_at_height(y));\n        }\n        assert!(detector.fall_detected());\n    }\n\n    #[test]\n    fn sitting_down_slowly_does_not_trigger_fall() {\n        let mut detector = FallDetector::new();\n        // gradual height decrease over 30 frames is sitting, not falling\n        for i in 0..30 {\n            let y = 1.7f32 - (i as f32 * 0.04); // ~1.2m drop over 30 frames\n            detector.update_pose(pose_at_height(y));\n        }\n        assert!(!detector.fall_detected());\n    }\n}\n```\n\n---\n\n",
-        "level": 3
-      },
-      {
-        "title": "Cross-Cutting Gap Summary",
-        "content": "| Gap Category | Severity | Affects | Recommended Action |\n|---|---|---|---|\n| `wifi-densepose-nn` has 0 tests | **Critical** | Inference pipeline | Add `tests/inference_tests.rs` per skeleton above |\n| `wifi-densepose-ruvector` has 0 tests | **Critical** | Viewpoint fusion, sketches | Add `tests/viewpoint_tests.rs` |\n| MAT disaster response missing edge cases | **Critical** | 0 BPM, agonal breathing, dedup | Add `tests/detection_edge_cases.rs` |\n| Signal RuvSense 28 modules untested | High | Core sensing logic | Add `tests/ruvsense_tests.rs` |\n| NN error paths (bad model files, OOM) | High | Production reliability | Add error path tests to nn |\n| Train geometry + rapid adapt = 0 tests | High | Domain adaptation | Add `tests/test_geometry.rs` |\n| Server auth token validation | High | Security boundary | Add `tests/auth_tests.rs` |\n| NaN/Inf propagation in f32 pipelines | High | All numeric crates | Add boundary tests per module |\n| Concurrent state under Arc<Mutex> | Medium | sensing-server, mat | Add contention tests |\n\nThe highest-ROI starting point is `wifi-densepose-nn` and `wifi-densepose-mat` — the nn crate has zero tests on the core inference pipeline, and mat covers life-safety scenarios where classification errors have real consequences.",
-        "level": 2
-      }
-    ],
-    "codeBlocks": [
-      {
-        "language": "rust",
-        "code": "// v2/crates/wifi-densepose-nn/tests/inference_tests.rs\n\n#[cfg(test)]\nmod tensor_tests {\n    use wifi_densepose_nn::tensor::Tensor;\n\n    #[test]\n    fn tensor_shape_mismatch_returns_error() {\n        // data has 6 elements but shape claims 3×3=9\n        let result = Tensor::new(vec![1.0f32; 6], &[3, 3]);\n        assert!(result.is_err(), \"shape mismatch must be rejected\");\n    }\n\n    #[test]\n    fn tensor_empty_data_returns_error() {\n        let result = Tensor::new(vec![], &[0]);\n        assert!(result.is_err());\n    }\n\n    #[test]\n    fn tensor_nan_values_are_detected() {\n        let t = Tensor::new(vec![f32::NAN, 1.0, 2.0], &[3]).unwrap();\n        assert!(t.has_nan(), \"NaN in data must be detectable\");\n    }\n\n    #[test]\n    fn tensor_inf_values_are_detected() {\n        let t = Tensor::new(vec![f32::INFINITY, 1.0], &[2]).unwrap();\n        assert!(t.has_inf());\n    }\n}\n\n#[cfg(test)]\nmod modality_translator_tests {\n    use wifi_densepose_nn::translator::ModalityTranslator;\n\n    #[test]\n    fn translator_rejects_wrong_subcarrier_count() {\n        // standard expects 56 subcarriers; feed 57\n        let csi = vec![0.0f32; 57 * 3]; // 57 subcarriers × 3 antennas\n        let translator = ModalityTranslator::default();\n        let result = translator.translate(&csi, 57, 3);\n        assert!(result.is_err());\n    }\n\n    #[test]\n    fn translator_handles_all_zeros() {\n        let csi = vec![0.0f32; 56 * 3];\n        let translator = ModalityTranslator::default();\n        let result = translator.translate(&csi, 56, 3);\n        // zero input should produce some output without panic\n        assert!(result.is_ok());\n    }\n}\n\n#[cfg(test)]\nmod inference_engine_tests {\n    use wifi_densepose_nn::inference::InferenceEngine;\n\n    #[test]\n    fn load_nonexistent_model_returns_error() {\n        let result = InferenceEngine::from_path(\"/nonexistent/model.onnx\");\n        assert!(result.is_err());\n    }\n\n    #[test]\n    fn load_corrupted_bytes_returns_error() {\n        let tmp = tempfile::NamedTempFile::new().unwrap();\n        std::fs::write(tmp.path(), b\"not a valid onnx file\").unwrap();\n        let result = InferenceEngine::from_path(tmp.path());\n        assert!(result.is_err());\n    }\n\n    #[test]\n    fn batch_size_zero_returns_error() {\n        // can't run inference on an empty batch\n        // requires a valid model; skip if no model file in test fixtures\n        // use #[ignore] or a feature flag for CI\n    }\n}"
-      },
-      {
-        "language": "rust",
-        "code": "// v2/crates/wifi-densepose-mat/tests/detection_edge_cases.rs\n\n#[cfg(test)]\nmod breathing_rate_edge_cases {\n    use wifi_densepose_mat::detection::breathing::BreathingDetector;\n\n    #[test]\n    fn zero_bpm_is_classified_critical() {\n        let detector = BreathingDetector::default();\n        // flat-line signal — no breathing detected\n        let signal = vec![0.0f32; 1000];\n        let result = detector.classify(&signal).unwrap();\n        assert_eq!(result.triage_category, TriageCategory::Immediate);\n    }\n\n    #[test]\n    fn agonal_breathing_rate_triggers_immediate() {\n        // < 6 BPM is agonal; simulate 3 BPM signal\n        let detector = BreathingDetector::default();\n        let signal = generate_breathing_signal(3.0, 1000, 100.0); // 3 BPM, 1000 samples @ 100 Hz\n        let result = detector.classify(&signal).unwrap();\n        assert_eq!(result.triage_category, TriageCategory::Immediate);\n    }\n\n    #[test]\n    fn normal_breathing_is_classified_minor() {\n        let detector = BreathingDetector::default();\n        let signal = generate_breathing_signal(15.0, 1000, 100.0); // 15 BPM\n        let result = detector.classify(&signal).unwrap();\n        assert_eq!(result.triage_category, TriageCategory::Minor);\n    }\n\n    #[test]\n    fn all_nan_signal_returns_error_not_panic() {\n        let detector = BreathingDetector::default();\n        let signal = vec![f32::NAN; 1000];\n        let result = detector.classify(&signal);\n        assert!(result.is_err(), \"NaN input must be caught, not panic\");\n    }\n\n    fn generate_breathing_signal(bpm: f32, samples: usize, sample_rate: f32) -> Vec<f32> {\n        let freq = bpm / 60.0;\n        (0..samples)\n            .map(|i| (2.0 * std::f32::consts::PI * freq * i as f32 / sample_rate).sin())\n            .collect()\n    }\n}\n\n#[cfg(test)]\nmod alert_deduplication {\n    use wifi_densepose_mat::alerting::{AlertDispatcher, Alert, TriageCategory};\n    use std::time::Duration;\n\n    #[test]\n    fn duplicate_alerts_within_window_are_suppressed() {\n        let mut dispatcher = AlertDispatcher::new();\n        let alert = Alert::new(\"survivor-1\", TriageCategory::Immediate);\n        dispatcher.dispatch(alert.clone());\n        dispatcher.dispatch(alert.clone()); // same survivor, same category\n        assert_eq!(dispatcher.queued_count(), 1, \"duplicate must be deduplicated\");\n    }\n\n    #[test]\n    fn escalation_from_minor_to_immediate_is_forwarded() {\n        let mut dispatcher = AlertDispatcher::new();\n        dispatcher.dispatch(Alert::new(\"survivor-1\", TriageCategory::Minor));\n        dispatcher.dispatch(Alert::new(\"survivor-1\", TriageCategory::Immediate));\n        // escalation is not a duplicate — must pass through\n        assert!(dispatcher.last_alert_for(\"survivor-1\").map(|a| a.category) == Some(TriageCategory::Immediate));\n    }\n}\n\n#[cfg(test)]\nmod kalman_tracker_edge_cases {\n    use wifi_densepose_mat::tracking::KalmanTracker;\n\n    #[test]\n    fn position_jump_does_not_corrupt_state() {\n        let mut tracker = KalmanTracker::new();\n        tracker.update([1.0, 1.0, 0.5]);  // initial position\n        tracker.update([50.0, 50.0, 0.5]); // physically impossible jump\n        let pos = tracker.estimated_position();\n        // should not panic; should clamp or flag anomaly\n        assert!(pos.iter().all(|v| v.is_finite()));\n    }\n\n    #[test]\n    fn lost_track_resumes_on_re_detection() {\n        let mut tracker = KalmanTracker::new();\n        tracker.update([1.0, 1.0, 0.5]);\n        // simulate 10 missed frames\n        for _ in 0..10 { tracker.predict(); }\n        assert_eq!(tracker.state(), TrackState::Lost);\n        tracker.update([1.1, 1.1, 0.5]); // re-detected nearby\n        assert_eq!(tracker.state(), TrackState::Confirmed);\n    }\n}"
-      },
-      {
-        "language": "rust",
-        "code": "// v2/crates/wifi-densepose-ruvector/tests/viewpoint_tests.rs\n\n#[cfg(test)]\nmod attention_tests {\n    use wifi_densepose_ruvector::viewpoint::attention::CrossViewpointAttention;\n\n    #[test]\n    fn attention_weights_sum_to_one() {\n        let attn = CrossViewpointAttention::new(3); // 3 viewpoints\n        let features = vec![[1.0f32; 64], [2.0f32; 64], [3.0f32; 64]];\n        let weights = attn.compute_weights(&features);\n        let sum: f32 = weights.iter().sum();\n        assert!((sum - 1.0).abs() < 1e-5, \"attention must be a probability distribution\");\n    }\n\n    #[test]\n    fn single_viewpoint_gets_full_weight() {\n        let attn = CrossViewpointAttention::new(1);\n        let features = vec![[1.0f32; 64]];\n        let weights = attn.compute_weights(&features);\n        assert!((weights[0] - 1.0).abs() < 1e-6);\n    }\n\n    #[test]\n    fn zero_feature_vectors_do_not_produce_nan() {\n        let attn = CrossViewpointAttention::new(2);\n        let features = vec![[0.0f32; 64], [0.0f32; 64]];\n        let weights = attn.compute_weights(&features);\n        assert!(weights.iter().all(|w| w.is_finite()));\n    }\n}\n\n#[cfg(test)]\nmod sketch_tests {\n    use wifi_densepose_ruvector::sketch::WireSketch;\n\n    #[test]\n    fn round_trip_serialization() {\n        let sketch = WireSketch::from_keypoints(&[[0.5f32, 0.5], [0.3, 0.7]]);\n        let bytes = sketch.to_bytes();\n        let restored = WireSketch::from_bytes(&bytes).unwrap();\n        assert_eq!(sketch, restored);\n    }\n\n    #[test]\n    fn deserialize_truncated_bytes_returns_error() {\n        let sketch = WireSketch::from_keypoints(&[[0.5f32, 0.5]]);\n        let mut bytes = sketch.to_bytes();\n        bytes.truncate(bytes.len() / 2); // truncate halfway\n        assert!(WireSketch::from_bytes(&bytes).is_err());\n    }\n\n    #[test]\n    fn empty_keypoint_list_is_handled() {\n        let sketch = WireSketch::from_keypoints(&[]);\n        assert_eq!(sketch.keypoint_count(), 0);\n    }\n}"
-      },
-      {
-        "language": "rust",
-        "code": "// v2/crates/wifi-densepose-signal/tests/ruvsense_tests.rs\n\n#[cfg(test)]\nmod coherence_gate_tests {\n    use wifi_densepose_signal::ruvsense::coherence_gate::{CoherenceGate, GateDecision};\n\n    #[test]\n    fn high_coherence_signal_is_accepted() {\n        let gate = CoherenceGate::new(0.7); // threshold = 0.7\n        let decision = gate.evaluate(0.95);\n        assert_eq!(decision, GateDecision::Accept);\n    }\n\n    #[test]\n    fn low_coherence_signal_is_rejected() {\n        let gate = CoherenceGate::new(0.7);\n        let decision = gate.evaluate(0.3);\n        assert_eq!(decision, GateDecision::Reject);\n    }\n\n    #[test]\n    fn borderline_coherence_triggers_recalibrate() {\n        let gate = CoherenceGate::new(0.7);\n        let decision = gate.evaluate(0.68); // just below threshold\n        assert_eq!(decision, GateDecision::Recalibrate);\n    }\n}\n\n#[cfg(test)]\nmod phase_align_tests {\n    use wifi_densepose_signal::ruvsense::phase_align::PhaseAligner;\n\n    #[test]\n    fn phase_at_plus_pi_does_not_wrap_incorrectly() {\n        let aligner = PhaseAligner::new();\n        let phases = vec![std::f32::consts::PI - 0.001, std::f32::consts::PI + 0.001];\n        let aligned = aligner.align(&phases);\n        // jump across ±π boundary must be handled continuously\n        let diff = (aligned[1] - aligned[0]).abs();\n        assert!(diff < 0.01, \"phase jump at ±π must be < 0.01 rad after alignment\");\n    }\n\n    #[test]\n    fn single_phase_value_aligns_to_itself() {\n        let aligner = PhaseAligner::new();\n        let phases = vec![1.5f32];\n        let aligned = aligner.align(&phases);\n        assert_eq!(aligned.len(), 1);\n        assert!((aligned[0] - 1.5).abs() < 1e-6);\n    }\n\n    #[test]\n    fn empty_phase_array_returns_empty() {\n        let aligner = PhaseAligner::new();\n        let aligned = aligner.align(&[]);\n        assert!(aligned.is_empty());\n    }\n}\n\n#[cfg(test)]\nmod adversarial_detection_tests {\n    use wifi_densepose_signal::ruvsense::adversarial::AdversarialDetector;\n\n    #[test]\n    fn physically_impossible_amplitude_is_flagged() {\n        let detector = AdversarialDetector::new();\n        // WiFi amplitude cannot exceed hardware saturation level\n        let frame = vec![1e9f32; 56]; // absurdly large\n        assert!(detector.is_suspicious(&frame));\n    }\n\n    #[test]\n    fn normal_amplitude_range_passes() {\n        let detector = AdversarialDetector::new();\n        let frame = vec![0.5f32; 56]; // typical normalized value\n        assert!(!detector.is_suspicious(&frame));\n    }\n\n    #[test]\n    fn multi_link_inconsistency_is_detected() {\n        // link A reports body moving right; link B reports no motion\n        // physically inconsistent — flag as adversarial\n        let detector = AdversarialDetector::new();\n        let result = detector.check_multi_link_consistency(\n            &[1.0, 2.0, 3.0], // link A\n            &[0.0, 0.0, 0.0], // link B (no motion)\n        );\n        assert!(result.is_inconsistent());\n    }\n}"
-      },
-      {
-        "language": "rust",
-        "code": "// v2/crates/wifi-densepose-train/tests/test_geometry.rs\n\n#[cfg(test)]\nmod film_layer_tests {\n    use wifi_densepose_train::geometry::FilmLayer;\n\n    #[test]\n    fn film_layer_output_shape_matches_input() {\n        let film = FilmLayer::new(64, 32); // 64-dim features, 32-dim condition\n        let features = vec![0.5f32; 64];\n        let condition = vec![1.0f32; 32];\n        let output = film.forward(&features, &condition).unwrap();\n        assert_eq!(output.len(), 64, \"FiLM output must match feature dimensionality\");\n    }\n\n    #[test]\n    fn film_layer_zero_condition_acts_as_identity() {\n        let film = FilmLayer::new(64, 32);\n        let features = vec![1.0f32; 64];\n        let zero_condition = vec![0.0f32; 32];\n        let output = film.forward(&features, &zero_condition).unwrap();\n        // scale=1, shift=0 → identity; output ≈ input\n        for (o, f) in output.iter().zip(features.iter()) {\n            assert!((o - f).abs() < 0.1, \"zero condition should approximate identity\");\n        }\n    }\n}\n\n// v2/crates/wifi-densepose-train/tests/test_rapid_adapt.rs\n\n#[cfg(test)]\nmod rapid_adaptation_tests {\n    use wifi_densepose_train::rapid_adapt::RapidAdapter;\n\n    #[test]\n    fn adapter_updates_on_single_sample() {\n        let mut adapter = RapidAdapter::new(5); // 5 adaptation steps\n        let csi_sample = vec![0.1f32; 56 * 3];\n        let pose_label = vec![0.5f32; 17 * 2]; // 17 keypoints × (x, y)\n        let result = adapter.adapt_step(&csi_sample, &pose_label);\n        assert!(result.is_ok());\n    }\n\n    #[test]\n    fn adapter_with_zero_steps_is_no_op() {\n        let adapter = RapidAdapter::new(0);\n        // 0 adaptation steps → weights unchanged\n        let initial_weights = adapter.clone_weights();\n        let _ = adapter.adapt_step(&vec![0.1f32; 168], &vec![0.5f32; 34]);\n        assert_eq!(adapter.clone_weights(), initial_weights);\n    }\n}"
-      },
-      {
-        "language": "rust",
-        "code": "// v2/crates/wifi-densepose-sensing-server/tests/auth_tests.rs\n\n#[cfg(test)]\nmod bearer_auth_tests {\n    use wifi_densepose_sensing_server::auth::{BearerValidator, TokenError};\n\n    #[test]\n    fn missing_authorization_header_returns_unauthorized() {\n        let validator = BearerValidator::new(\"secret-token\");\n        let result = validator.validate(None);\n        assert!(matches!(result, Err(TokenError::Missing)));\n    }\n\n    #[test]\n    fn wrong_token_is_rejected() {\n        let validator = BearerValidator::new(\"correct-token\");\n        let result = validator.validate(Some(\"Bearer wrong-token\"));\n        assert!(matches!(result, Err(TokenError::Invalid)));\n    }\n\n    #[test]\n    fn malformed_header_without_bearer_prefix_is_rejected() {\n        let validator = BearerValidator::new(\"token\");\n        let result = validator.validate(Some(\"token\")); // missing \"Bearer \" prefix\n        assert!(matches!(result, Err(TokenError::Malformed)));\n    }\n\n    #[test]\n    fn correct_token_is_accepted() {\n        let validator = BearerValidator::new(\"correct-token\");\n        let result = validator.validate(Some(\"Bearer correct-token\"));\n        assert!(result.is_ok());\n    }\n}\n\n// v2/crates/wifi-densepose-sensing-server/tests/semantic_tests.rs\n\n#[cfg(test)]\nmod fall_detection_tests {\n    use wifi_densepose_sensing_server::semantic::fall_detector::FallDetector;\n\n    #[test]\n    fn no_motion_does_not_trigger_fall() {\n        let mut detector = FallDetector::new();\n        for _ in 0..30 { // 30 frames of stillness\n            detector.update_pose(stationary_pose());\n        }\n        assert!(!detector.fall_detected());\n    }\n\n    #[test]\n    fn rapid_downward_velocity_triggers_fall() {\n        let mut detector = FallDetector::new();\n        // simulate person going from standing (y=1.7m) to prone (y=0.3m) in 3 frames\n        for (frame, y) in [(0, 1.7f32), (1, 1.0), (2, 0.3)] {\n            detector.update_pose(pose_at_height(y));\n        }\n        assert!(detector.fall_detected());\n    }\n\n    #[test]\n    fn sitting_down_slowly_does_not_trigger_fall() {\n        let mut detector = FallDetector::new();\n        // gradual height decrease over 30 frames is sitting, not falling\n        for i in 0..30 {\n            let y = 1.7f32 - (i as f32 * 0.04); // ~1.2m drop over 30 frames\n            detector.update_pose(pose_at_height(y));\n        }\n        assert!(!detector.fall_detected());\n    }\n}"
-      }
-    ]
-  },
-  "rawOutputPreview": "The exploration is complete. Here's the full coverage analysis with test skeletons for each critical gap.\n\n---\n\n## Test Coverage Gap Analysis — wifi-densepose\n\n### Coverage Summary by Crate\n\n| Crate | Tests Found | Status | Priority |\n|-------|-------------|--------|----------|\n| `wifi-densepose-core` | 26 inline | Good | Low |\n| `wifi-densepose-signal` | ~60 (validation only) | Moderate | **High** |\n| `wifi-densepose-nn` | **0** | Critical | **P1** |\n| `wifi-densepose-train` | ~60 (config/dataset) | Moderate | High |\n| `wifi-densepose-mat` | 1 integration test | Critical | **P1** |\n| `wifi-densepose-ruvector` | **0** | Critical | **P1** |\n| `wifi-densepose-sensing-server` | 4 integration tests | Moderate | High |\n| `wifi-densepose-wasm` | 3 compliance tests | Low | Low |\n\n---\n\n## Tier 1: Critical Gaps\n\n### 1. `wifi-densepose-nn` — Zero test coverage\n\nEvery public API is untested. Place these at `v2/crates/wifi-densepose-nn/tests/inference_tests.rs`:\n\n```rust\n// v2/crates/wifi-densepose-nn/tests/inference_tests.rs\n\n#[cfg(test)]\nmod tensor_tests {\n    use wifi_densepose_nn::tensor::Tensor;\n\n    #[test]\n    fn tensor_shape_mismatch_returns_error() {\n        // data has 6 elements but shape claims 3×3=9\n        let result = Tensor::new(vec![1.0f32; 6], &[3, 3]);\n        assert!(result.is_err(), \"shape mismatch must be rejected\");\n    }\n\n    #[test]\n    fn tensor_empty_data_returns_error() {\n        let result = Tensor::new(vec![], &[0]);\n        assert!(result.is_err());\n    }\n\n    #[test]\n    fn tensor_nan_values_are_detected() {\n        let t = Tensor::new(vec![f32::NAN, 1.0, 2.0], &[3]).unwrap();\n        assert!(t.has_nan(), \"NaN in data must be detectable\");\n    }\n\n    #[test]\n    fn tensor_inf_values_are_detected() {\n        let t = Tensor::new(vec![f32::INFINITY, 1.0], &[2]).unwrap();\n        assert!(t.has_inf());\n    }\n}\n\n#[cfg(test)]\nmod modality_translator_tests {\n    use wifi_densepose_nn::translator::ModalityTranslator;\n\n    #[test]\n    fn translator_rejects",
-  "rawOutputLength": 18269
-}

.claude/scheduled_tasks.lock

@@ -1 +0,0 @@
-{"sessionId":"d80c93c2-51b7-42e8-a0fc-dc47cff1200f","pid":45748,"acquiredAt":1779668018388}

.claude/settings.json

@@ -126,7 +126,10 @@
       "Bash(node .claude/*)",
       "mcp__claude-flow__:*"
     ],
-    "deny": []
+    "deny": [
+      "Read(./.env)",
+      "Read(./.env.*)"
+    ]
   },
   "attribution": {
     "commit": "Co-Authored-By: claude-flow <ruv@ruv.net>",

.github/workflows/aether-arena-harness.yml

@@ -1,94 +0,0 @@
-name: AetherArena harness gate (ADR-149)
-
-# Runs the AetherArena scoring harness as a PR build gate. Every PR that touches
-# the scorer, the metrics, or the benchmark scaffold must keep the deterministic
-# score hash stable (ADR-149 §2.5 determinism_gate). If the scoring maths changes,
-# the hash moves and this gate fails until `expected_score.sha256` is regenerated
-# and reviewed — so scorer drift can never land silently.
-#
-# This is the "a PR that runs the harness as part of the build process" requirement.
-
-on:
-  pull_request:
-    paths:
-      - 'v2/crates/wifi-densepose-train/src/ruview_metrics.rs'
-      - 'v2/crates/wifi-densepose-train/src/ablation.rs'
-      - 'v2/crates/wifi-densepose-train/src/bin/aa_score_runner.rs'
-      - 'aether-arena/**'
-      - '.github/workflows/aether-arena-harness.yml'
-  push:
-    branches: ['feat/adr-149-aether-arena']
-  workflow_dispatch:
-
-permissions:
-  contents: read
-  pull-requests: write
-
-jobs:
-  harness-gate:
-    name: Run AA scorer harness (determinism gate)
-    runs-on: ubuntu-latest
-    defaults:
-      run:
-        working-directory: v2
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Install Rust toolchain
-        run: rustup show && rustc --version
-
-      - name: Cache cargo
-        uses: actions/cache@v4
-        with:
-          path: |
-            ~/.cargo/registry
-            ~/.cargo/git
-            v2/target
-          key: aa-harness-${{ runner.os }}-${{ hashFiles('v2/Cargo.lock') }}
-
-      # 1. Build the pure-Rust scorer (no torch / no GPU → fast PR gate).
-      - name: Build AA score runner
-        run: cargo build -p wifi-densepose-train --bin aa_score_runner --no-default-features
-
-      # 2. Determinism gate: the committed expected hash must still match. A
-      #    non-zero exit here fails the PR.
-      - name: Run determinism gate
-        run: cargo run -q -p wifi-densepose-train --bin aa_score_runner --no-default-features
-
-      # 3. Repeatability analysis (witness chain): the harness must produce one
-      #    identical proof hash across many runs — any nondeterminism fails here.
-      - name: Repeatability analysis (16 runs)
-        run: cargo run -q -p wifi-densepose-train --bin aa_score_runner --no-default-features -- --repeat 16
-
-      # 4. Real-scoring smoke: score a sample prediction against the public smoke
-      #    split, exercising the actual model-scoring path (not just the fixture).
-      - name: Real-scoring smoke test
-        run: |
-          cargo run -q -p wifi-densepose-train --bin aa_score_runner --no-default-features -- \
-            --split ../aether-arena/fixtures/smoke_split.json \
-            --pred  ../aether-arena/fixtures/smoke_pred.json --json
-
-      # 5. Witness ledger chain integrity: the append-only results ledger must
-      #    verify (every prev_hash link + row_hash intact = no silent edits).
-      - name: Verify witness ledger chain
-        working-directory: aether-arena/ledger
-        run: python3 ledger_tools.py verify
-
-      # 6. Emit the witness row + repeatability into the PR run summary.
-      - name: Witness row → job summary
-        if: always()
-        run: |
-          ROW=$(cargo run -q -p wifi-densepose-train --bin aa_score_runner --no-default-features -- --json)
-          REP=$(cargo run -q -p wifi-densepose-train --bin aa_score_runner --no-default-features -- --repeat 16)
-          {
-            echo "## AetherArena harness gate (witness chain)"
-            echo ""
-            echo "Deterministic witness (ADR-149 §2.2 / proof + repeatability):"
-            echo '```json'
-            echo "$ROW"
-            echo "$REP"
-            echo '```'
-            echo ""
-            echo "If the determinism gate failed, the scoring maths changed: regenerate with"
-            echo '`cargo run -p wifi-densepose-train --bin aa_score_runner --no-default-features -- --generate-hash > aether-arena/fixtures/expected_score.sha256` and review the diff.'
-          } >> "$GITHUB_STEP_SUMMARY"

.github/workflows/bfld-mqtt-integration.yml

@@ -1,99 +0,0 @@
-name: BFLD MQTT Integration
-
-# Runs the env-gated mosquitto integration tests from iters 24 + 29 of the
-# BFLD rollout (ADR-118 / ADR-122 §2.2). Spins up an eclipse-mosquitto:2
-# service container, exports BFLD_MQTT_BROKER, runs `cargo test --features
-# mqtt`. Local developers can reproduce with:
-#
-#     scoop install mosquitto   # Windows
-#     # or: docker run -p 1883:1883 eclipse-mosquitto:2
-#     BFLD_MQTT_BROKER=tcp://localhost:1883 \
-#       cargo test -p wifi-densepose-bfld --features mqtt
-
-on:
-  push:
-    branches:
-      - main
-      - 'feat/adr-118-*'
-      - 'feat/bfld-*'
-    paths:
-      - 'v2/crates/wifi-densepose-bfld/**'
-      - '.github/workflows/bfld-mqtt-integration.yml'
-  pull_request:
-    paths:
-      - 'v2/crates/wifi-densepose-bfld/**'
-      - '.github/workflows/bfld-mqtt-integration.yml'
-  workflow_dispatch:
-
-jobs:
-  mqtt-live-broker:
-    name: cargo test --features mqtt (live mosquitto)
-    runs-on: ubuntu-latest
-    timeout-minutes: 15
-
-    services:
-      mosquitto:
-        image: eclipse-mosquitto:2
-        ports:
-          - 1883:1883
-        # Allow anonymous connections — local-only CI broker, no exposure
-        # to the public internet, never touches production credentials.
-        options: >-
-          --health-cmd "mosquitto_pub -h localhost -t healthcheck -m ping || exit 1"
-          --health-interval 5s
-          --health-timeout 3s
-          --health-retries 10
-
-    env:
-      BFLD_MQTT_BROKER: tcp://localhost:1883
-      CARGO_TERM_COLOR: always
-      CARGO_INCREMENTAL: 0
-      RUSTFLAGS: -D warnings
-
-    steps:
-      - name: Checkout
-        uses: actions/checkout@v4
-
-      - name: Install Rust toolchain
-        uses: dtolnay/rust-toolchain@stable
-        with:
-          components: clippy
-
-      - name: Cache cargo registry + target
-        uses: actions/cache@v4
-        with:
-          path: |
-            ~/.cargo/registry
-            ~/.cargo/git
-            v2/target
-          key: bfld-mqtt-${{ runner.os }}-${{ hashFiles('v2/Cargo.lock') }}
-
-      - name: Wait for mosquitto to be ready
-        run: |
-          for i in {1..20}; do
-            if nc -z localhost 1883; then
-              echo "mosquitto reachable on port 1883 (attempt $i)"
-              exit 0
-            fi
-            echo "waiting for mosquitto ($i/20)..."
-            sleep 1
-          done
-          echo "mosquitto never became reachable" >&2
-          exit 1
-
-      - name: cargo test --no-default-features (baseline regression)
-        working-directory: v2
-        run: cargo test -p wifi-densepose-bfld --no-default-features
-
-      - name: cargo test (default features)
-        working-directory: v2
-        run: cargo test -p wifi-densepose-bfld
-
-      - name: cargo test --features mqtt (incl. live mosquitto roundtrip)
-        working-directory: v2
-        run: cargo test -p wifi-densepose-bfld --features mqtt
-
-      - name: cargo clippy --features mqtt (lint gate)
-        working-directory: v2
-        run: cargo clippy -p wifi-densepose-bfld --features mqtt --all-targets -- -D warnings
-        continue-on-error: true

.github/workflows/ci.yml

@@ -108,60 +108,21 @@ jobs:
     - name: Install Rust toolchain
       uses: dtolnay/rust-toolchain@stable
 
-    # Swatinem/rust-cache replaces a naive `actions/cache` of the whole
-    # `v2/target`. That manual cache of a 38-crate target dir (multi-GB) was an
-    # intermittent failure source — several CI runs this cycle died at the
-    # cache/setup step (after toolchain install, before "Run Rust tests"),
-    # needing a rerun. rust-cache is purpose-built for Rust: it caches the
-    # registry + git + a pruned target, evicts stale deps, and restores far more
-    # reliably (and faster) on large workspaces. `workspaces: v2` points it at
-    # the v2/ cargo workspace (keys on v2/Cargo.lock, caches v2/target).
-    - name: Cache cargo (Swatinem/rust-cache)
-      uses: Swatinem/rust-cache@v2
+    - name: Cache cargo
+      uses: actions/cache@v4
       with:
-        workspaces: v2
+        path: |
+          ~/.cargo/registry
+          ~/.cargo/git
+          v2/target
+        key: ${{ runner.os }}-cargo-${{ hashFiles('v2/Cargo.lock') }}
+        restore-keys: |
+          ${{ runner.os }}-cargo-
 
-    # The 38-crate workspace debug build exhausts the runner's disk when built
-    # with full debuginfo (observed: "final link failed: No space left on
-    # device" once the engine/benchmark crates landed; the same tree's local
-    # debug target measured 151 GB). Debuginfo is useless in CI — tests either
-    # pass or print their failure — so build without it; target shrinks ~5-10x.
     - name: Run Rust tests
       working-directory: v2
-      env:
-        CARGO_PROFILE_DEV_DEBUG: "0"
-        CARGO_PROFILE_TEST_DEBUG: "0"
       run: cargo test --workspace --no-default-features
 
-    - name: Run ADR-147 worldmodel tests
-      working-directory: v2
-      env:
-        CARGO_PROFILE_DEV_DEBUG: "0"
-        CARGO_PROFILE_TEST_DEBUG: "0"
-      run: cargo test -p wifi-densepose-worldmodel --no-default-features
-
-    # ADR-134 CIR tests are behind the `cir` feature so the bench dependency
-    # (Criterion) only pulls when actually exercised. Run them as a separate
-    # step so a CIR-only regression is unambiguously attributable.
-    - name: Run ADR-134 CIR tests
-      working-directory: v2
-      run: cargo test -p wifi-densepose-signal --no-default-features --features cir --tests
-
-    # ADR-134 + ADR-028 witness guard. The CIR proof runner produces a
-    # bit-deterministic SHA-256 over CirEstimator output on the synthetic
-    # reference signal. Any algorithmic regression — changes to ISTA
-    # convergence, sensing matrix construction, soft-thresholding, or input
-    # padding — breaks the hash and fails the build. To regenerate after an
-    # *intentional* change:
-    #   cd v2 && cargo run -p wifi-densepose-signal --bin cir_proof_runner \
-    #     --release --no-default-features -- --generate-hash \
-    #     > ../archive/v1/data/proof/expected_cir_features.sha256
-    - name: ADR-134 CIR witness proof (determinism guard)
-      run: bash scripts/verify-cir-proof.sh
-
-    - name: ADR-135 calibration witness proof (determinism guard)
-      run: bash scripts/verify-calibration-proof.sh
-
   # Unit and Integration Tests
   # Python pytest matrix — runs against the archived v1 Python tree.
   # `continue-on-error: true` for the same reason as code-quality above:
@@ -278,45 +239,23 @@ jobs:
       run: |
         python -m pip install --upgrade pip
         pip install -r requirements.txt
-        pip install pytest   # the perf suite is pytest, not locust
+        pip install locust
 
-    # No "Start application" step: the gated test (test_frame_budget.py) drives
-    # the CSIProcessor pipeline in-process and makes no HTTP calls, so the old
-    # uvicorn server + `sleep 10` were dead weight — they only existed for the
-    # now-excluded api_throughput/inference_speed tests, and on every run dumped
-    # ~50 misleading "router requires hardware setup" ERROR lines for a server
-    # no test touched. MOCK_POSE_DATA is server-only and unused here.
-
-    - name: Run performance tests
+    - name: Start application
       working-directory: archive/v1
       run: |
-        # Gate only on the genuine, deterministic perf guard:
-        # test_frame_budget.py times the *real* CSIProcessor pipeline against
-        # the ADR 50 ms per-frame budget (single-frame, p95 over 100 frames,
-        # +Doppler) — a true regression signal.
-        #
-        # test_api_throughput.py / test_inference_speed.py are excluded: every
-        # test there is a TDD red-phase stub (suffix `_should_fail_initially`)
-        # that times a *mock that sleeps* — meaningless as a perf signal, with
-        # machine-dependent wall-clock asserts (e.g. `actual_rps >= 40`,
-        # `batch_time < individual_time`) that are inherently flaky on shared
-        # CI runners, plus a cross-class fixture-scope bug. Forcing them green
-        # would be manufacturing a false signal; they stay in-repo for local
-        # TDD but do not gate CI until the underlying features are implemented.
-        #
-        # `python -m pytest` (not the bare `pytest` script) puts the cwd
-        # (archive/v1) on sys.path so `from src.core...` resolves — the bare
-        # script omits cwd and raises ModuleNotFoundError: No module named 'src'.
-        # -o addopts="" drops the root pyproject's --cov/--cov-fail-under=100.
-        python -m pytest tests/performance/test_frame_budget.py \
-          -o addopts="" -v --junitxml=perf-junit.xml
+        uvicorn src.api.main:app --host 0.0.0.0 --port 8000 &
+        sleep 10
+
+    - name: Run performance tests
+      run: |
+        locust -f tests/performance/locustfile.py --headless --users 50 --spawn-rate 5 --run-time 60s --host http://localhost:8000
 
     - name: Upload performance results
-      if: always()
       uses: actions/upload-artifact@v4
       with:
         name: performance-results
-        path: archive/v1/perf-junit.xml
+        path: locust_report.html
 
   # Docker Build and Test
   # NOTE: the canonical Docker build for the sensing-server is now
@@ -402,8 +341,6 @@ jobs:
     runs-on: ubuntu-latest
     needs: [docker-build]
     if: github.ref == 'refs/heads/main'
-    permissions:
-      contents: write   # gh-pages deploy needs write (GITHUB_TOKEN is read-only by default -> 403)
     steps:
     - name: Checkout code
       uses: actions/checkout@v4
@@ -421,8 +358,6 @@ jobs:
 
     - name: Generate OpenAPI spec
       working-directory: archive/v1
-      env:
-        MOCK_POSE_DATA: "true"   # no CSI hardware in CI
       run: |
         python -c "
         from src.api.main import app
@@ -433,7 +368,6 @@ jobs:
 
     - name: Deploy to GitHub Pages
       uses: peaceiris/actions-gh-pages@v4
-      continue-on-error: true   # openapi generation above is the real validation; deploy is best-effort (Pages may be disabled)
       with:
         github_token: ${{ secrets.GITHUB_TOKEN }}
         publish_dir: ./docs

.github/workflows/cog-ha-matter-release.yml

@@ -1,200 +0,0 @@
-name: Cog HA-Matter Release
-
-# ADR-116 P8 — Build + sign + bundle the cog-ha-matter cog on a
-# version tag. Upload to gs://cognitum-apps/ runs only when the
-# GCP_CREDENTIALS + COGNITUM_OWNER_SIGNING_KEY secrets are set, so
-# this workflow is safe to merge before the production credentials
-# land — it'll bundle release artifacts to the workflow run page
-# either way.
-
-on:
-  push:
-    tags:
-      - 'cog-ha-matter-v*'
-  workflow_dispatch:
-    inputs:
-      dry_run:
-        description: 'Build + sign + bundle but skip GCS upload'
-        required: false
-        default: 'true'
-
-env:
-  CARGO_TERM_COLOR: always
-  CRATE: cog-ha-matter
-
-jobs:
-  build-x86_64:
-    name: Build x86_64
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Setup Rust
-        uses: dtolnay/rust-toolchain@stable
-        with:
-          targets: x86_64-unknown-linux-gnu
-
-      - name: Cache cargo registry
-        uses: actions/cache@v4
-        with:
-          path: |
-            ~/.cargo/registry
-            ~/.cargo/git
-            v2/target
-          key: cog-ha-matter-x86_64-${{ hashFiles('v2/Cargo.lock') }}
-
-      - name: Build release binary
-        working-directory: v2/crates/cog-ha-matter/cog
-        run: make build-x86_64
-
-      - name: Compute SHA-256
-        working-directory: v2/crates/cog-ha-matter/cog
-        run: make sign-x86_64
-
-      - name: Sign with Ed25519 (gated)
-        if: ${{ env.SIGNING_KEY != '' }}
-        env:
-          SIGNING_KEY: ${{ secrets.COGNITUM_OWNER_SIGNING_KEY }}
-        working-directory: v2/crates/cog-ha-matter/cog
-        run: |
-          printf '%s' "$SIGNING_KEY" \
-            | openssl pkeyutl -sign -inkey /dev/stdin -rawin \
-                -in dist/cog-ha-matter-x86_64.sha256 \
-            | base64 -w0 > dist/cog-ha-matter-x86_64.sig
-          echo "Signed cog-ha-matter-x86_64 ($(wc -c < dist/cog-ha-matter-x86_64.sig) bytes)"
-
-      - name: Upload workflow artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: cog-ha-matter-x86_64
-          path: |
-            v2/crates/cog-ha-matter/cog/dist/cog-ha-matter-x86_64
-            v2/crates/cog-ha-matter/cog/dist/cog-ha-matter-x86_64.sha256
-            v2/crates/cog-ha-matter/cog/dist/cog-ha-matter-x86_64.sig
-          if-no-files-found: warn
-
-  build-arm:
-    name: Build aarch64 (arm)
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Setup Rust
-        uses: dtolnay/rust-toolchain@stable
-        with:
-          targets: aarch64-unknown-linux-gnu
-
-      - name: Install cross-compiler
-        run: |
-          sudo apt-get update
-          sudo apt-get install -y gcc-aarch64-linux-gnu
-
-      - name: Cache cargo registry
-        uses: actions/cache@v4
-        with:
-          path: |
-            ~/.cargo/registry
-            ~/.cargo/git
-            v2/target
-          key: cog-ha-matter-arm-${{ hashFiles('v2/Cargo.lock') }}
-
-      - name: Build release binary
-        working-directory: v2
-        env:
-          CARGO_TARGET_AARCH64_UNKNOWN_LINUX_GNU_LINKER: aarch64-linux-gnu-gcc
-        run: |
-          cargo build -p cog-ha-matter --release --target aarch64-unknown-linux-gnu
-          mkdir -p crates/cog-ha-matter/cog/dist
-          cp target/aarch64-unknown-linux-gnu/release/cog-ha-matter \
-             crates/cog-ha-matter/cog/dist/cog-ha-matter-arm
-          # ^ matches Makefile's `dist/$(CRATE)-arm` so `make sign-arm` finds it
-
-      - name: Compute SHA-256
-        working-directory: v2/crates/cog-ha-matter/cog
-        run: make sign-arm
-
-      - name: Sign with Ed25519 (gated)
-        if: ${{ env.SIGNING_KEY != '' }}
-        env:
-          SIGNING_KEY: ${{ secrets.COGNITUM_OWNER_SIGNING_KEY }}
-        working-directory: v2/crates/cog-ha-matter/cog
-        run: |
-          printf '%s' "$SIGNING_KEY" \
-            | openssl pkeyutl -sign -inkey /dev/stdin -rawin \
-                -in dist/cog-ha-matter-arm.sha256 \
-            | base64 -w0 > dist/cog-ha-matter-arm.sig
-          echo "Signed cog-ha-matter-arm ($(wc -c < dist/cog-ha-matter-arm.sig) bytes)"
-
-      - name: Upload workflow artifact
-        uses: actions/upload-artifact@v4
-        with:
-          name: cog-ha-matter-arm
-          path: |
-            v2/crates/cog-ha-matter/cog/dist/cog-ha-matter-arm
-            v2/crates/cog-ha-matter/cog/dist/cog-ha-matter-arm.sha256
-            v2/crates/cog-ha-matter/cog/dist/cog-ha-matter-arm.sig
-          if-no-files-found: warn
-
-  publish-gcs:
-    name: Upload to GCS (gated)
-    needs: [build-x86_64, build-arm]
-    runs-on: ubuntu-latest
-    # Skip on dry-run dispatch; skip on tags when GCP_CREDENTIALS unset.
-    if: >
-      github.event_name == 'push' &&
-      vars.HAS_GCP_CREDENTIALS == 'true'
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Download x86_64 artifact
-        uses: actions/download-artifact@v4
-        with:
-          name: cog-ha-matter-x86_64
-          path: dist/
-
-      - name: Download arm artifact
-        uses: actions/download-artifact@v4
-        with:
-          name: cog-ha-matter-arm
-          path: dist/
-
-      - name: Auth to GCP
-        uses: google-github-actions/auth@v2
-        with:
-          credentials_json: ${{ secrets.GCP_CREDENTIALS }}
-
-      - name: Set up gcloud
-        uses: google-github-actions/setup-gcloud@v2
-
-      - name: Upload binaries + sidecars
-        run: |
-          gsutil cp dist/cog-ha-matter-x86_64       gs://cognitum-apps/cogs/x86_64/cog-ha-matter-x86_64
-          gsutil cp dist/cog-ha-matter-x86_64.sha256 gs://cognitum-apps/cogs/x86_64/cog-ha-matter-x86_64.sha256
-          gsutil cp dist/cog-ha-matter-arm           gs://cognitum-apps/cogs/arm/cog-ha-matter-arm
-          gsutil cp dist/cog-ha-matter-arm.sha256    gs://cognitum-apps/cogs/arm/cog-ha-matter-arm.sha256
-          if [ -f dist/cog-ha-matter-x86_64.sig ]; then
-            gsutil cp dist/cog-ha-matter-x86_64.sig gs://cognitum-apps/cogs/x86_64/cog-ha-matter-x86_64.sig
-          fi
-          if [ -f dist/cog-ha-matter-arm.sig ]; then
-            gsutil cp dist/cog-ha-matter-arm.sig    gs://cognitum-apps/cogs/arm/cog-ha-matter-arm.sig
-          fi
-
-      - name: Print app-registry.json snippet for the cognitum-one PR
-        run: |
-          for arch in arm x86_64; do
-            sha=$(cat dist/cog-cog-ha-matter-$arch.sha256)
-            sig=$([ -f dist/cog-cog-ha-matter-$arch.sig ] && cat dist/cog-cog-ha-matter-$arch.sig || echo "")
-            cat <<EOF
-          --- $arch ---
-          {
-            "id": "ha-matter",
-            "version": "${GITHUB_REF_NAME#cog-ha-matter-v}",
-            "binary_url": "https://storage.googleapis.com/cognitum-apps/cogs/$arch/cog-cog-ha-matter-$arch",
-            "binary_sha256": "$sha",
-            "binary_signature": "$sig",
-            "description": "Home Assistant + Matter Cognitum Seed cog (mDNS + witness chain)",
-            "min_seed_version": "0.6.0",
-            "installable_on": ["$arch"]
-          }
-          EOF
-          done

.github/workflows/mqtt-integration.yml

@@ -1,110 +0,0 @@
-name: ADR-115 MQTT integration tests
-
-# Runs the Mosquitto-broker-backed integration tests for ADR-115's MQTT
-# publisher. These prove the publisher reaches a real broker, emits the
-# expected HA-discovery topic shape, and honours --privacy-mode at the
-# wire boundary (not just in unit-test logic).
-#
-# Default `cargo test --workspace` does not run these tests because they
-# require a broker and pull rumqttc into the build. This workflow opts
-# into both by setting --features mqtt and RUVIEW_RUN_INTEGRATION=1.
-
-on:
-  pull_request:
-    paths:
-      - 'v2/crates/wifi-densepose-sensing-server/src/mqtt/**'
-      - 'v2/crates/wifi-densepose-sensing-server/tests/mqtt_integration.rs'
-      - 'v2/crates/wifi-densepose-sensing-server/Cargo.toml'
-      - '.github/workflows/mqtt-integration.yml'
-  push:
-    branches: [main]
-    paths:
-      - 'v2/crates/wifi-densepose-sensing-server/src/mqtt/**'
-  workflow_dispatch: {}
-
-jobs:
-  mqtt-integration:
-    runs-on: ubuntu-latest
-    timeout-minutes: 20
-
-    # NB: we don't use a `services:` mosquitto container here because the
-    # eclipse-mosquitto:2.x image rejects anonymous connections by default
-    # and GH Actions `services` doesn't easily support mounting a custom
-    # config file. We start mosquitto manually in a step below with an
-    # inline `allow_anonymous true` config.
-
-    env:
-      RUVIEW_RUN_INTEGRATION: "1"
-      RUVIEW_TEST_MQTT_PORT: "11883"
-      CARGO_TERM_COLOR: always
-      RUST_BACKTRACE: 1
-
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Install mosquitto + clients and start with allow_anonymous
-        run: |
-          sudo apt-get update -qq
-          sudo apt-get install -y mosquitto mosquitto-clients
-          sudo systemctl stop mosquitto || true
-          # Inline config: anon listener on 11883 only — no TLS, no auth,
-          # OK for CI because we test the wire shape, not security.
-          # Production deployments enable mTLS per ADR-115 §3.9.
-          cat > /tmp/mosquitto-ci.conf <<'EOF'
-          listener 11883
-          allow_anonymous true
-          persistence false
-          log_dest stdout
-          EOF
-          mosquitto -c /tmp/mosquitto-ci.conf -d
-          for i in {1..20}; do
-            if mosquitto_pub -h 127.0.0.1 -p 11883 -t healthcheck -m ok -q 0 2>/dev/null; then
-              echo "mosquitto reachable on 11883"; exit 0
-            fi
-            sleep 2
-          done
-          echo "mosquitto never became reachable" >&2
-          tail -50 /var/log/mosquitto/*.log 2>/dev/null || true
-          exit 1
-
-      - name: Install Rust toolchain
-        uses: dtolnay/rust-toolchain@stable
-        with:
-          toolchain: stable
-
-      - name: Cache cargo registry + build
-        uses: Swatinem/rust-cache@v2
-        with:
-          workspaces: v2 -> target
-
-      - name: Validate HA Blueprints
-        run: |
-          python -m pip install --quiet pyyaml
-          python scripts/validate-ha-blueprints.py
-
-      - name: Verify unit tests still pass under --features mqtt
-        working-directory: v2
-        # `cargo test` accepts a single TESTNAME filter, so we run the
-        # whole --lib suite here. That gives us the full 410-test green
-        # bar under --features mqtt (which is more reassuring than
-        # filtering anyway).
-        run: >-
-          cargo test -p wifi-densepose-sensing-server
-          --features mqtt --no-default-features
-          --lib
-          --no-fail-fast
-
-      - name: Run integration tests against mosquitto
-        working-directory: v2
-        run: >-
-          cargo test -p wifi-densepose-sensing-server
-          --features mqtt --no-default-features
-          --test mqtt_integration
-          --no-fail-fast
-          -- --test-threads=1 --nocapture
-
-      - name: Dump broker logs on failure
-        if: failure()
-        run: |
-          docker ps -a
-          docker logs $(docker ps -aqf "ancestor=eclipse-mosquitto:2.0.18") || true

.github/workflows/pip-release.yml

@@ -1,286 +0,0 @@
-# ADR-117 P5 — cibuildwheel + PyPI publish workflow for `wifi-densepose`
-#
-# This workflow is **explicitly NOT** triggered on every push. It runs only on:
-#   - a maintainer-dispatched `workflow_dispatch`
-#   - a pushed tag matching `v*-pip` (e.g. `v2.0.0-pip`)
-#
-# The reason for the `-pip` tag suffix is that the repo already cuts
-# `v0.X.Y-esp32` tags for firmware releases (see CLAUDE.md). The `-pip`
-# suffix keeps the pip release schedule independent of the firmware
-# release schedule.
-#
-# Sequencing on release day (per ADR-117 §7.3):
-#   1. cut tag `v1.99.0-pip`  → publishes the tombstone wheel first
-#   2. cut tag `v2.0.0-pip`   → publishes the PyO3 v2 wheel matrix
-#
-# Publishes via the `PYPI_API_TOKEN` GitHub Actions secret. The
-# token-refresh runbook (GCP Secret Manager → gh secret set) lives in
-# docs/integrations/pypi-release.md so KICS does not flag the
-# secret name as a generic-secret literal in the workflow.
-#
-# Q3 (witness hash v2 — open in ADR-117 §11.3) MUST be resolved
-# before the first v2.0.0 publish. When v2 lands, add a parallel
-# step that verifies the v2 hash against the Rust pipeline.
-
-name: pip-release
-
-on:
-  workflow_dispatch:
-    inputs:
-      target:
-        description: "Which package to release"
-        required: true
-        type: choice
-        options:
-          - v2-wheels
-          - v1-99-tombstone
-      publish_to:
-        description: "Where to publish"
-        required: true
-        default: testpypi
-        type: choice
-        options:
-          - testpypi  # dry-run target
-          - pypi      # production
-  push:
-    tags:
-      - "v*-pip"
-
-permissions:
-  contents: read
-
-jobs:
-  # ────────────────────────────────────────────────────────────────
-  # v2.0.0 — cibuildwheel matrix (5 wheels + sdist)
-  # ────────────────────────────────────────────────────────────────
-
-  build-wheels:
-    name: Build ${{ matrix.os }} ${{ matrix.arch }}
-    if: |
-      github.event_name == 'workflow_dispatch' && inputs.target == 'v2-wheels' ||
-      startsWith(github.ref, 'refs/tags/v2.')
-    strategy:
-      fail-fast: false
-      matrix:
-        include:
-          - os: ubuntu-latest
-            arch: x86_64
-          - os: ubuntu-latest
-            arch: aarch64
-          - os: macos-13          # x86_64 runner
-            arch: x86_64
-          - os: macos-14          # arm64 runner
-            arch: arm64
-          - os: windows-latest
-            arch: AMD64
-    runs-on: ${{ matrix.os }}
-    steps:
-      - uses: actions/checkout@v4
-
-      # Linux aarch64 needs QEMU for cross-build on x86_64 runners.
-      - name: Set up QEMU
-        if: matrix.os == 'ubuntu-latest' && matrix.arch == 'aarch64'
-        uses: docker/setup-qemu-action@v3
-
-      # ADR-117 §5.4: abi3-py310 — one binary per OS/arch covers all
-      # Python minor versions ≥ 3.10. Build only cp310 wheels.
-      - name: Build wheels (cibuildwheel)
-        uses: pypa/cibuildwheel@v2.21
-        env:
-          CIBW_BUILD: "cp310-*"
-          CIBW_ARCHS_LINUX: ${{ matrix.arch }}
-          CIBW_ARCHS_MACOS: ${{ matrix.arch }}
-          CIBW_ARCHS_WINDOWS: ${{ matrix.arch }}
-          CIBW_BUILD_FRONTEND: "build"
-          CIBW_BEFORE_BUILD: "pip install maturin>=1.7"
-          # The PyO3 sdist landing depends on the cargo/Rust toolchain
-          # being present. cibuildwheel images carry rustup on Linux
-          # but we also pin a known-good version for reproducibility.
-          CIBW_BEFORE_ALL_LINUX: "curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain 1.82"
-          CIBW_ENVIRONMENT_LINUX: 'PATH="$HOME/.cargo/bin:$PATH"'
-          # Smoke-test every built wheel before accepting it. Catches
-          # the case where the wheel imports but the compiled symbols
-          # are missing.
-          CIBW_TEST_REQUIRES: "pytest>=8.0"
-          CIBW_TEST_COMMAND: 'python -c "import wifi_densepose; assert wifi_densepose.hello() == \"ok\"; print(wifi_densepose.__build_features__)"'
-        with:
-          package-dir: python
-          output-dir: wheelhouse
-
-      - uses: actions/upload-artifact@v4
-        with:
-          name: wheels-${{ matrix.os }}-${{ matrix.arch }}
-          path: wheelhouse/*.whl
-          if-no-files-found: error
-
-  build-sdist:
-    name: Build v2 sdist
-    if: |
-      github.event_name == 'workflow_dispatch' && inputs.target == 'v2-wheels' ||
-      startsWith(github.ref, 'refs/tags/v2.')
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - name: Install maturin
-        run: pip install maturin>=1.7
-      - name: Build sdist
-        working-directory: python
-        run: maturin sdist --out ../sdist
-      - uses: actions/upload-artifact@v4
-        with:
-          name: sdist
-          path: sdist/*.tar.gz
-          if-no-files-found: error
-
-  # ────────────────────────────────────────────────────────────────
-  # v1.99.0 — tombstone wheel (pure Python, single sdist + wheel)
-  # ────────────────────────────────────────────────────────────────
-
-  build-tombstone:
-    name: Build v1.99.0 tombstone
-    if: |
-      github.event_name == 'workflow_dispatch' && inputs.target == 'v1-99-tombstone' ||
-      startsWith(github.ref, 'refs/tags/v1.99')
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-python@v5
-        with:
-          python-version: '3.12'
-      - name: Install build backend
-        run: python -m pip install --upgrade pip build>=1.2
-      - name: Build sdist + wheel
-        working-directory: python/tombstone
-        run: python -m build --outdir ../../tombstone-dist
-      # Inspect what was actually built — the previous v1.99.0-pip run
-      # showed an `import wifi_densepose` that returned cleanly instead
-      # of raising, even though build logs said `adding 'wifi_densepose/__init__.py'`.
-      # Print the wheel manifest + the __init__.py content so any
-      # future regression is debuggable from the run log alone.
-      - name: Inspect wheel contents
-        run: |
-          set -e
-          WHL=tombstone-dist/wifi_densepose-1.99.0-py3-none-any.whl
-          echo "--- wheel listing ---"
-          python -m zipfile -l "$WHL"
-          echo "--- wifi_densepose/__init__.py inside the wheel ---"
-          python -m zipfile -e "$WHL" /tmp/tomb-inspect
-          cat /tmp/tomb-inspect/wifi_densepose/__init__.py
-          echo "--- size in bytes ---"
-          wc -c /tmp/tomb-inspect/wifi_densepose/__init__.py
-      # Smoke-test in an ISOLATED venv. The previous run's failure
-      # mode was that the ubuntu-latest runner's system `python` had
-      # site-packages picking up something other than the user-installed
-      # wheel, so the import resolved to a different module. A clean
-      # venv removes any ambiguity about which wifi_densepose is loaded.
-      - name: Smoke-test tombstone in isolated venv
-        run: |
-          set -e
-          # Copy the wheel to /tmp BEFORE entering the venv — we must
-          # cd OUT of the repo root because the repo contains a
-          # `wifi_densepose/` directory left over from the legacy v1
-          # source. Python puts cwd at sys.path[0], so an import from
-          # the repo root would resolve to the legacy directory and
-          # bypass the freshly-installed wheel entirely (this was the
-          # silent failure mode of the previous two run attempts).
-          cp tombstone-dist/wifi_densepose-1.99.0-py3-none-any.whl /tmp/
-          python -m venv /tmp/smoke-venv
-          /tmp/smoke-venv/bin/python -m pip install --upgrade pip
-          /tmp/smoke-venv/bin/python -m pip install /tmp/wifi_densepose-1.99.0-py3-none-any.whl
-          cd /tmp  # away from the repo root's stray wifi_densepose/
-          /tmp/smoke-venv/bin/python -c "import importlib.util as u; s = u.find_spec('wifi_densepose'); print('Resolved to:', s.origin); print('--- file content ---'); print(open(s.origin).read())"
-          set +e
-          /tmp/smoke-venv/bin/python -c "import wifi_densepose" 2> import-output.txt
-          rc=$?
-          set -e
-          if [ "$rc" -eq 0 ]; then
-            echo "ERROR: tombstone import succeeded — should have raised ImportError"
-            exit 1
-          fi
-          if ! grep -q "github.com/ruvnet/RuView" import-output.txt; then
-            echo "ERROR: tombstone ImportError missing migration URL"
-            cat import-output.txt
-            exit 1
-          fi
-          echo "Tombstone wheel correctly raises ImportError with migration URL."
-      - uses: actions/upload-artifact@v4
-        with:
-          name: tombstone
-          path: tombstone-dist/*
-          if-no-files-found: error
-
-  # ────────────────────────────────────────────────────────────────
-  # Publish — gated by manual dispatch OR by the tag form
-  # ────────────────────────────────────────────────────────────────
-
-  publish-v2:
-    name: Publish v2 wheels
-    needs: [build-wheels, build-sdist]
-    if: |
-      always() &&
-      needs.build-wheels.result == 'success' &&
-      needs.build-sdist.result == 'success' &&
-      (
-        github.event_name == 'workflow_dispatch' && inputs.target == 'v2-wheels' ||
-        startsWith(github.ref, 'refs/tags/v2.')
-      )
-    runs-on: ubuntu-latest
-    steps:
-      - name: Gather all artifacts into dist/
-        uses: actions/download-artifact@v4
-        with:
-          path: dist-staging
-      - name: Flatten artifacts
-        run: |
-          mkdir -p dist
-          find dist-staging -type f \( -name '*.whl' -o -name '*.tar.gz' \) -exec cp -v {} dist/ \;
-          ls -lh dist/
-      - name: Publish to TestPyPI (dry-run target)
-        if: github.event_name == 'workflow_dispatch' && inputs.publish_to == 'testpypi'
-        uses: pypa/gh-action-pypi-publish@release/v1
-        with:
-          repository-url: https://test.pypi.org/legacy/
-          password: ${{ secrets.PYPI_API_TOKEN }}
-          packages-dir: dist
-          skip-existing: true
-      - name: Publish to PyPI
-        if: |
-          startsWith(github.ref, 'refs/tags/v2.') ||
-          (github.event_name == 'workflow_dispatch' && inputs.publish_to == 'pypi')
-        uses: pypa/gh-action-pypi-publish@release/v1
-        with:
-          password: ${{ secrets.PYPI_API_TOKEN }}
-          packages-dir: dist
-
-  publish-tombstone:
-    name: Publish v1.99 tombstone
-    needs: [build-tombstone]
-    if: |
-      always() &&
-      needs.build-tombstone.result == 'success' &&
-      (
-        github.event_name == 'workflow_dispatch' && inputs.target == 'v1-99-tombstone' ||
-        startsWith(github.ref, 'refs/tags/v1.99')
-      )
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/download-artifact@v4
-        with:
-          name: tombstone
-          path: dist
-      - name: Publish to TestPyPI (dry-run target)
-        if: github.event_name == 'workflow_dispatch' && inputs.publish_to == 'testpypi'
-        uses: pypa/gh-action-pypi-publish@release/v1
-        with:
-          repository-url: https://test.pypi.org/legacy/
-          password: ${{ secrets.PYPI_API_TOKEN }}
-          packages-dir: dist
-          skip-existing: true
-      - name: Publish to PyPI
-        if: |
-          startsWith(github.ref, 'refs/tags/v1.99') ||
-          (github.event_name == 'workflow_dispatch' && inputs.publish_to == 'pypi')
-        uses: pypa/gh-action-pypi-publish@release/v1
-        with:
-          password: ${{ secrets.PYPI_API_TOKEN }}
-          packages-dir: dist

.github/workflows/ruview-swarm-ci.yml

@@ -1,149 +0,0 @@
-name: ruview-swarm CI guard
-
-# Dedicated guard for the ADR-148 drone swarm crate (`v2/crates/ruview-swarm`).
-# The main ci.yml runs `cargo test --workspace --no-default-features`, which
-# only exercises ruview-swarm's DEFAULT feature set. This guard additionally:
-#   - tests every feature combination (train / ruflo+itar / full)
-#   - fails on ANY clippy warning in the crate's own code (--no-deps)
-#   - asserts the ITAR + publish guards stay in place (USML Cat VIII(h)(12))
-#   - builds the GPU training binary under the `train` feature
-#
-# Path-scoped so it only runs when the crate or this workflow changes.
-
-on:
-  push:
-    branches: [ main, 'feat/*' ]
-    paths:
-      - 'v2/crates/ruview-swarm/**'
-      - '.github/workflows/ruview-swarm-ci.yml'
-  pull_request:
-    paths:
-      - 'v2/crates/ruview-swarm/**'
-      - '.github/workflows/ruview-swarm-ci.yml'
-  workflow_dispatch:
-
-env:
-  CARGO_TERM_COLOR: always
-
-jobs:
-  # ── Feature-matrix tests ─────────────────────────────────────────────────
-  tests:
-    name: tests (${{ matrix.features.label }})
-    runs-on: ubuntu-latest
-    strategy:
-      fail-fast: false
-      matrix:
-        features:
-          - { label: 'default',          flags: '--no-default-features' }
-          - { label: 'train',            flags: '--features train' }
-          - { label: 'ruflo+itar',       flags: '--features ruflo,itar-unrestricted' }
-          - { label: 'full+train',       flags: '--features full,train' }
-    steps:
-      - uses: actions/checkout@v4
-      - uses: dtolnay/rust-toolchain@stable
-      - name: Cache cargo
-        uses: actions/cache@v4
-        with:
-          path: |
-            ~/.cargo/registry
-            ~/.cargo/git
-            v2/target
-          key: ${{ runner.os }}-ruview-swarm-${{ hashFiles('v2/Cargo.lock') }}
-          restore-keys: ${{ runner.os }}-ruview-swarm-
-      - name: cargo test -p ruview-swarm ${{ matrix.features.flags }}
-        working-directory: v2
-        run: cargo test -p ruview-swarm ${{ matrix.features.flags }} --lib
-
-  # ── Clippy: zero warnings in the crate's own code ────────────────────────
-  clippy:
-    name: clippy (-D warnings, --no-deps)
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      # v2/rust-toolchain.toml pins channel "1.89" with profile "minimal" (no
-      # clippy). dtolnay@stable installs clippy on the floating "stable"
-      # toolchain, but the override makes cargo use the separate "1.89"
-      # toolchain — so `cargo clippy` errors "cargo-clippy is not installed for
-      # 1.89". Install clippy on the pinned toolchain that cargo actually uses.
-      - uses: dtolnay/rust-toolchain@stable
-        with:
-          toolchain: "1.89"
-          components: clippy
-      - name: Cache cargo
-        uses: actions/cache@v4
-        with:
-          path: |
-            ~/.cargo/registry
-            ~/.cargo/git
-            v2/target
-          key: ${{ runner.os }}-ruview-swarm-clippy-${{ hashFiles('v2/Cargo.lock') }}
-          restore-keys: ${{ runner.os }}-ruview-swarm-clippy-
-      # --no-deps confines linting to ruview-swarm's own source, so pre-existing
-      # warnings in dependency crates don't gate this PR.
-      - name: clippy (default)
-        working-directory: v2
-        run: cargo clippy -p ruview-swarm --no-default-features --no-deps -- -D warnings
-      - name: clippy (full,train)
-        working-directory: v2
-        run: cargo clippy -p ruview-swarm --features full,train --no-deps -- -D warnings
-
-  # ── Build the GPU training binary (train feature) ────────────────────────
-  train-bin:
-    name: build train_marl bin
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: dtolnay/rust-toolchain@stable
-      - name: Cache cargo
-        uses: actions/cache@v4
-        with:
-          path: |
-            ~/.cargo/registry
-            ~/.cargo/git
-            v2/target
-          key: ${{ runner.os }}-ruview-swarm-bin-${{ hashFiles('v2/Cargo.lock') }}
-          restore-keys: ${{ runner.os }}-ruview-swarm-bin-
-      - name: cargo build --bin train_marl --features train
-        working-directory: v2
-        run: cargo build -p ruview-swarm --features train --bin train_marl
-      - name: train_marl is excluded from the default build
-        working-directory: v2
-        run: |
-          # The training binary requires the `train` feature; a default `--bins`
-          # build must NOT produce it (keeps default/CI builds light + Candle-free).
-          # Remove any prior artifact first so this checks what the DEFAULT build
-          # produces, not a leftover from the train-feature build above.
-          rm -f target/debug/train_marl
-          cargo build -p ruview-swarm --no-default-features --bins
-          if [ -f target/debug/train_marl ]; then
-            echo "ERROR: train_marl built without the 'train' feature" >&2
-            exit 1
-          fi
-          echo "OK: train_marl correctly gated behind the 'train' feature"
-
-  # ── ITAR + publish guards ────────────────────────────────────────────────
-  export-control-guard:
-    name: ITAR / publish guard
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - name: publish = false is present (no accidental crates.io publish)
-        run: |
-          CARGO=v2/crates/ruview-swarm/Cargo.toml
-          if ! grep -qE '^\s*publish\s*=\s*false' "$CARGO"; then
-            echo "ERROR: ruview-swarm Cargo.toml must keep 'publish = false' until" >&2
-            echo "       PR merge + dependency publish + ITAR export sign-off." >&2
-            exit 1
-          fi
-          echo "OK: publish = false present"
-      - name: default feature set does NOT enable itar-unrestricted
-        run: |
-          CARGO=v2/crates/ruview-swarm/Cargo.toml
-          # USML Cat VIII(h)(12): swarming coordination must be opt-in, never default.
-          DEFAULT_LINE=$(grep -E '^\s*default\s*=' "$CARGO" || true)
-          echo "default = $DEFAULT_LINE"
-          if echo "$DEFAULT_LINE" | grep -q 'itar-unrestricted'; then
-            echo "ERROR: 'itar-unrestricted' must NOT be in the default feature set" >&2
-            exit 1
-          fi
-          echo "OK: ITAR-gated coordination features are opt-in, not default"

.github/workflows/security-scan.yml

@@ -46,10 +46,7 @@ jobs:
 
     - name: Run Bandit security scan
       run: |
-        # The Python codebase lives under archive/v1/src (it moved there when
-        # the runtime was rewritten in Rust). Scanning `src/` matched nothing,
-        # so this SAST step was a silent no-op.
-        bandit -r archive/v1/src/ -f sarif -o bandit-results.sarif
+        bandit -r src/ -f sarif -o bandit-results.sarif
       continue-on-error: true
 
     - name: Upload Bandit results to GitHub Security
@@ -60,20 +57,22 @@ jobs:
         sarif_file: bandit-results.sarif
         category: bandit
 
-    # Removed the deprecated `returntocorp/semgrep-action@v1` step: it was
-    # redundant (the pip `semgrep --sarif` below is what feeds GitHub Security;
-    # the action only pushed to the Semgrep cloud app via SEMGREP_APP_TOKEN) and
-    # it pulled `returntocorp/semgrep-agent:v1` from Docker Hub on every run,
-    # which intermittently timed out and turned this check red. The pip semgrep
-    # (installed above) needs no Docker pull. The action's `p/docker` +
-    # `p/kubernetes` rulesets are folded into the command below so coverage is
-    # preserved.
-    - name: Run Semgrep + generate SARIF
+    - name: Run Semgrep security scan
+      continue-on-error: true
+      uses: returntocorp/semgrep-action@v1
+      with:
+        config: >-
+          p/security-audit
+          p/secrets
+          p/python
+          p/docker
+          p/kubernetes
+      env:
+        SEMGREP_APP_TOKEN: ${{ secrets.SEMGREP_APP_TOKEN }}
+        
+    - name: Generate Semgrep SARIF
       run: |
-        semgrep \
-          --config=p/security-audit --config=p/secrets --config=p/python \
-          --config=p/docker --config=p/kubernetes \
-          --sarif --output=semgrep.sarif archive/v1/src/
+        semgrep --config=p/security-audit --config=p/secrets --config=p/python --sarif --output=semgrep.sarif src/
       continue-on-error: true
 
     - name: Upload Semgrep results to GitHub Security

.github/workflows/sensing-server-docker.yml

@@ -26,8 +26,6 @@ on:
       - 'v2/crates/wifi-densepose-signal/**'
       - 'v2/crates/wifi-densepose-vitals/**'
       - 'v2/crates/wifi-densepose-wifiscan/**'
-      - 'v2/crates/wifi-densepose-bfld/**'
-      - 'v2/crates/cog-ha-matter/**'
       - 'v2/Cargo.toml'
       - 'v2/Cargo.lock'
       - 'ui/**'
@@ -61,16 +59,11 @@ jobs:
       - uses: docker/setup-buildx-action@v3
 
       - name: Log in to Docker Hub
-        # Bypassing docker/login-action@v3: the action kept emitting
-        # "malformed HTTP Authorization header" against a known-good
-        # dckr_pat_* token (verified by direct curl against the Hub API).
-        # `docker login --password-stdin` is the documented credential
-        # path and avoids whatever encoding step the action injects.
-        env:
-          DH_USER: ${{ secrets.DOCKERHUB_USERNAME }}
-          DH_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }}
-        run: |
-          printf '%s' "$DH_TOKEN" | docker login docker.io -u "$DH_USER" --password-stdin
+        uses: docker/login-action@v3
+        with:
+          registry: docker.io
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
 
       - name: Log in to ghcr.io
         uses: docker/login-action@v3

.github/workflows/verify-pipeline.yml

@@ -7,7 +7,6 @@ on:
       - 'archive/v1/src/core/**'
       - 'archive/v1/src/hardware/**'
       - 'archive/v1/data/proof/**'
-      - 'archive/v1/requirements-lock.txt'
       - '.github/workflows/verify-pipeline.yml'
   pull_request:
     branches: [ main, master ]
@@ -15,7 +14,6 @@ on:
       - 'archive/v1/src/core/**'
       - 'archive/v1/src/hardware/**'
       - 'archive/v1/data/proof/**'
-      - 'archive/v1/requirements-lock.txt'
       - '.github/workflows/verify-pipeline.yml'
   workflow_dispatch:
 

.gitignore

@@ -261,10 +261,3 @@ v2/crates/rvcsi-node/*.node
 v2/crates/rvcsi-node/binding.js
 v2/crates/rvcsi-node/binding.d.ts
 v2/crates/rvcsi-node/npm/
-
-# AetherArena private optimization staging — never published until reviewed
-aether-arena/staging/
-
-# MM-Fi benchmark dataset archives — large data, fetch separately, never commit
-assets/MM-Fi/E0*.zip
-assets/MM-Fi/*.zip

.gitmodules

@@ -14,7 +14,3 @@
 	path = vendor/rvcsi
 	url = https://github.com/ruvnet/rvcsi
 	branch = main
-[submodule "v2/crates/ruv-neural"]
-	path = v2/crates/ruv-neural
-	url = https://github.com/ruvnet/ruv-neural.git
-	branch = main

CHANGELOG.md

@@ -7,78 +7,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
-### Changed
-- **Mesh partition risk now demotes the privacy class and is witnessed (ADR-032).** The dynamic min-cut guard's `at_risk` signal was advisory-only (it fed the recalibration advisor). It now also contributes to the ADR-141 privacy demotion alongside fusion- and array-level contradictions: a mesh close to partitioning makes the fused belief less trustworthy, so the cycle emits at a more restricted class (monotonic — information only removed). Because `effective_class` feeds the BLAKE3 witness, a fragmenting array now shifts the witness — partition risk is auditable, not just logged. The mesh computation moved ahead of the demotion step in `process_cycle`; new `mesh_guard_mut()` exposes risk-threshold tuning. Test proves a forced-risk 3-node cycle demotes PrivateHome Anonymous→Restricted and shifts the witness vs a clean *same-topology* baseline (the only delta between the two cycles is the forced risk).
-
-### Added
-- **Beyond-SOTA `v2/crates/` sweep (ADR-154–158) + full stub-implementation push — every claim MEASURED or graded.** A 5-milestone review/optimize/secure/benchmark/validate sweep, then a verified-audit-driven push to replace every production stub with real, tested logic (no labels, no placeholders). Each fix is pinned by a test that fails on the old code; every number ships with a reproduce command. Workspace: **3,122 tests / 0 failed** (`cargo test --workspace --no-default-features`), Python proof **VERDICT: PASS** (bit-exact).
-  - **ADR-154 Signal/DSP** — revived a dead ADR-134 CIR coherence gate (canonical-56 vs ht20 mismatch meant it never ran in production: 8/8 Err → 8/8 Ok); NaN-bypass + window div0 guards; PSD FFT-planner cache (**2.0–3.1×**) + honored DTW band (**2.4–4.1×**).
-  - **ADR-155 NN/Training** — unified 7 divergent PCK/OKS metric definitions into one canonical torso-normalized source (fixed two claim-inflating bugs: zero-visible PCK 1.0→0.0, OKS fake-Gold); leak-free subject-disjoint MM-Fi split + injected-leak detector; rapid_adapt replaced fake gradients with real finite-difference; proof.rs gained a min-decrease margin + committed-hash requirement; zero-copy ORT input (**1.48×**).
-  - **ADR-156 RuVector/Fusion** — closed crafted-input DoS panics (triangulation/heartbeat); honest dimensionless GDOP = √(trace(G⁻¹)) replacing an RMSE mislabel; canonical wrapped angular distance; fuse() double-clone removed (**~2.17×** marshalling). SOTA graded: SymphonyQG (CLAIMED), multi-bit RaBitQ (near-term), GraphPose-Fi (data-gated).
-  - **ADR-157 Hardware/Sensing** — `Vec::remove(0)` O(n²) sliding windows → `VecDeque`; breathing partial-weight renormalization; IIR low-sample-rate divergence clamp. Centerpiece: a MEASURED **negative-results** audit showing the layer (802.11bf model, parsers, calibration) was already hardened — cited file:line, NO-ACTION.
-  - **ADR-158 MAT/world-model** — **unified two divergent triage engines** (the confidence-gated result was computed then discarded; gate==record now); **killed survivor count-inflation** (real RSSI localization + vitals-signature dedup, MEASURED 3→1); real ESP32/UDP/PCAP CSI ingest with honest typed `HardwareUnavailable`/`UnsupportedAdapter` errors for hardware-gated adapters (Intel5300/Atheros/PicoScenes — never fabricated CSI); real parabolic peak interpolation; real GDOP.
-  - **Soul Signature §3.6 matcher made real (`wifi-densepose-bfld`, issue #1021).** An external audit correctly found person-identification was spec-only behind a no-op `NullOracle`. Now a real per-channel weighted-cosine matcher + `EnrolledMatcher: SoulMatchOracle` (364 tests). MEASURED: same-person 1.0000 vs cross-person 0.8088; and the audit's own claim proven — on WiFi-only cardiac+respiratory channels alone two people are **not separable** (gap 0.0005). Named identity is honestly **data-gated** on the AETHER/body-resonance channel being fed by a real enrollment; no working-named-identity claim is made.
-  - **OccWorld real forward pass** — replaced `Tensor::randn` encoder/decoder stubs (which emitted trajectory priors from pure noise) with a real deterministic conv VQ-VAE forward pass (input-dependent, proven by tests that fail on the old randn) + a `weights_trained` honesty flag (false until a real checkpoint loads); pointcloud `to_gaussian_splats` 9→2 passes (**1.24×** MEASURED).
-  - **Native multi-BSSID `wlanapi.dll` FFI** (`wifi-densepose-wifiscan`) — real `WlanOpenHandle`/`WlanEnumInterfaces`/`WlanGetNetworkBssList`, **MEASURED 9.74 Hz** on Windows (vs netsh ~2 Hz; no fabricated "10×"), typed `Unsupported` off-Windows. Real Matter 1.3 manual-pairing-code field-packing (canonical 34970112332, lossless decode) replacing a lossy-modulo placeholder.
-  - **HOMECORE assistant** — real `LocalRunner` response path, real semantic intent recognizer (exact in-memory cosine k-NN; MEASURED 0.855 match / 0.106 no-match), real SQL state text-search — three always-empty stubs removed.
-- **ADR-152 WiFi-Pose SOTA 2026 intake — verified external benchmark + four Rust integrations.** A 22-source adversarially-verified survey of the 2025–2026 WiFi-sensing SOTA, with every adopted number reproduced or graded before integration:
-  - **WiFlow-STD (DY2434) reproduction (`benchmarks/wiflow-std/`)** — the external "97.25% PCK@20, 2.23M params" claim audited end-to-end: the **shipped checkpoint is REFUTED** (0.08% PCK@20 — wrong keypoint normalization, predates the published code), the released code does not run as published (6 documented defects, incl. an import that fails and an unreachable test phase), and the released dataset's final 13 files are corrupted (9,072 windows of NaN + float32-max garbage that NaN-poisons fp16 BatchNorm training). After repairing both, retraining with upstream defaults on an RTX 5080 reproduced **96.09% PCK@20 (full test) / 96.61% (corruption-free)** — claims graded MEASURED-EQUIVALENT; params (2,225,042) and FLOPs (~0.055 G) verified exactly. Full forensics in `benchmarks/wiflow-std/RESULTS.md`.
-  - **`GeometryEmbedding` (ADR-152 §2.1.2, `wifi-densepose-calibration`)** — 32-slot permutation-invariant, NaN-proof featurization of the §2.1.1 `NodeGeometry` records (centroid/spread, measured-first pairwise distances, circular azimuth stats, covariance-eigenvalue geometric diversity, per-node flags), schema-versioned for the ADR-151 P6 LoRA heads; derived `SpecialistBank::geometry_embedding()` accessor. The PerceptAlign "coordinate overfitting" defense, transplanted to per-room banks.
-  - **MAE pretraining recipe (ADR-152 §2.3, `wifi-densepose-train/src/mae.rs`)** — `MaePretrainConfig` pinning the UNSW-measured recipe (80% masking, (30,3) patches) with pure-Rust patchify/random-mask (exact counts, seed-deterministic, error-not-truncate divisibility, NaN rejection), property-tested; the consumption seam for the future ADR-150 ViT-Small encoder.
-  - **`WiFlowStdModel` Rust port (`wifi-densepose-train/src/wiflow_std/`)** — tch-gated idiomatic port of the verified spatio-temporal-decoupled architecture (grouped causal TCN → asymmetric conv stack → dual axial attention); ungated param formula asserted equal to the reference 2,225,042; 15/17-keypoint variants share weights (enables the ADR-152 §2.2(b) ESP32 fine-tune).
-  - **RuVector vendor sync + §2.6 opportunity survey** — vendor at `a083bd77f`; graded ADOPT/EVALUATE/WATCH table; crates.io bumps applied (mincut/solver 2.0.6, attention 2.1.0, gnn 2.2.0; RUSTSEC #504 audit: no pinned crate affected); top WATCH: unpublished `ruvector-graph-condense` differentiable min-cut for trainable subcarrier grouping.
-- **ADR-153 IEEE 802.11bf-2025 forward-compatibility protocol model (`wifi-densepose-hardware/src/ieee80211bf/`)** — typed WLAN-sensing procedures (measurement setup/instance/report, SBP, termination) with `SpecProfile` version gates, `SensingCapabilities` negotiation, and **required** `ConsentMode` governance metadata on every setup; deterministic session FSM with rejection/timeout paths; `SensingTransport` seam with `SimTransport` and an `OpportunisticCsiBridge` mapping live ESP32 CSI batches into standardized report shape (a future chipset adapter replaces the bridge without touching RuvSense consumers). Not a certified implementation — simulation-tested protocol surface; OTA binding lands when silicon does. 19 acceptance tests.
-- **Dynamic min-cut mesh partition guard in the streaming engine (`mesh_guard`).** Maintains a `ruvector-mincut` exact min-cut over the live mesh coupling graph (nodes = sensing nodes, coupling = product of fusion attention weights), surfacing per cycle: the global **cut value** (how close the array is to splitting — a structural measure per-node heuristics miss), the **weak side** (which specific nodes would partition: failure/jamming triage feeding ADR-032 posture), and an **at-risk flag** that counts as a structural event for the drift→recalibration advisor. Surfaced as `TrustedOutput::mesh`. **Measured cost policy** (criterion, 12-node mesh): weights are quantized (1/64; a *nonzero* coupling below one quantum saturates to quantum 1 so quantization never erases a live coupling — without the floor, balanced meshes of ≥ 65 nodes had every ~1/n coupling erased and sat permanently "at risk") and updates change-gated, so the steady-state cycle does zero graph work (~7.3 µs, ~23× cheaper than building); on any real change a full exact rebuild (~171 µs) is used because one `DynamicMinCut` delete+insert measured ~240 µs — the incremental machinery's overhead targets much larger graphs, so rebuild-on-change is the measured optimum at mesh scale (one-edge case −28% after the policy switch). Degenerate cases fail toward risk: a node with zero coupling is reported as already partitioned (cut 0). 9 mesh-guard tests + an engine-level wiring test; full `process_cycle` with the guard: ~33 µs for 4 nodes (50 ms budget).
-- **Opt-in FFT operator for the CIR ISTA solver (8–14× measured).** Φ is a sub-DFT, so each ISTA mat-vec can run as one length-G FFT (O(G log G)) instead of a dense O(K·G) product. New `CirConfig::fft_operator` (default **false** — the dense path stays the bit-exact witness default; the FFT evaluates the same sums in a different order, so enabling it shifts float results and requires regenerating any pinned witness). `FftOperator` (rustfft, planned once at construction, scratch reused across the ISTA loop) dispatches inside `ista_solve`; warm-start/Lipschitz stay dense at construction. Measured (criterion, same run): ht20 2.22 ms → 265 µs (**8.4×**), ht40 10.26 ms → 717 µs (**14.3×**); the real HE40 grid (K=484, G=1452) scales further. 3 new tests: FFT↔dense matvec equivalence to float tolerance (ht20 + he40 grids), end-to-end dominant-tap agreement on a single-path frame, and all default configs keep FFT off. New `cir_estimate_fft` bench group.
-- **Per-room adapter provenance + drift→recalibration advisor in the streaming engine.** Closes the trust-chain gap where an ~11 KB per-room LoRA adapter (ADR-150 §3.4) could silently change inference without the witness noticing. `StreamingEngine::set_room_adapter(AdapterInfo)` pins the adapter's content-derived id into provenance `model_version` (`rfenc-v1+adapter:<id>`) — and therefore into the BLAKE3 witness — so swapping or clearing adapter weights always shifts the witness (engine test proves base → adapter → other-adapter → cleared all witness differently, and cleared == base). New `RecalibrationAdvisor` recommends re-running the ADR-135 baseline / refitting the adapter on sustained low fusion coherence (streak threshold, default 60 cycles ≈ 3 s at 20 Hz) or an ADR-142 change-point; surfaced as `TrustedOutput::recalibration_recommended` and recorded on the sensing-server's `EngineBridge` alongside the witness. Bridge plumbing: `EngineBridge::{set_room_adapter, clear_room_adapter}` + live-path test that the adapter id flows into the live witness. *Scope note: this is the deployable provenance/trigger half of the "retrained model" roadmap item — fitting the adapter itself runs in the existing external calibration service (`aether-arena/calibration/`), and a trained RF-encoder checkpoint still does not exist in-tree.*
-- **RuView beyond-SOTA research series** (`docs/research/ruview-beyond-sota/`, 6 docs) — research-swarm output defining the beyond-SOTA bar and the path to it: system capability audit (role→crate maturity matrix, gap analysis, risk register), web-verified 2026 SOTA landscape per capability axis (incl. ratified IEEE 802.11bf-2025), 8-pillar target architecture on the ADR-136 contract spine (no rewrite), 6-layer benchmark/validation methodology (all 15 criterion bench targets inventoried; ADR-149 statistical protocol), and a determinism-safe optimization roadmap. Includes session validation evidence: 2,797 workspace tests / 0 failed, Python proof PASS (bit-exact), paired pre/post criterion runs.
-
-### Performance
-- **CIR estimator warm-start precompute** — the diagonal Tikhonov preconditioner `diag(Φ^H Φ)+λI` and its CSR matrix were rebuilt every frame although they depend only on Φ and λ (fixed at `CirEstimator::new`); now precomputed at construction (`ruvsense/cir.rs`). Bit-identical floats (summation order unchanged, witness chain unaffected). Measured: `cir_estimate/he40` −3.9% (p<0.01), multiband groups −1.2/−1.4%; smaller configs within container noise.
-- **RF tomography solver hoisting** — ISTA gradient buffer no longer allocated inside the 100-iteration loop, and the Frobenius Lipschitz bound moved from per-`reconstruct` to construction (`ruvsense/tomography.rs`). Bit-identical results.
-
-### Added
-- **Falsifiable occupancy benchmark (`wifi-densepose-train::occupancy_bench`).** Makes the presence/person-count "beyond SOTA" claim falsifiable in code instead of aspirational (the unfalsifiability gap from the beyond-SOTA system review). Grades predictions vs ground truth and gates a SOTA claim behind one `claim_allowed` invariant requiring all of: `DataProvenance::Measured` (synthetic/mock is scorable but **never claimable** — anti-mock-contamination per the CLAUDE.md Kconfig-bug lesson), a leak-free `EvalSplit` (refuses any split where a subject *or* environment id appears in both train and test — subject leakage / per-environment overfitting), `n_test ≥ min`, a **non-degenerate test set** (both truth classes represented: present-rate ≥ `min_positive_rate` and ≥ 1 absent sample — an all-absent set plus an always-absent predictor cannot release a claim; vacuous F1 scores 0.0, never 1.0), presence-F1 **bootstrap-CI lower bound** (deterministic seeded splitmix64) clearing the threshold, and count MAE within threshold. The claim string is unreadable except through the gate (`NO_CLAIM` otherwise). What remains is data, not method: a frozen, SHA-pinned, subject/environment-disjoint measured replay set turns the claim into a passing/failing test. 12 tests cover each refusal path, including the point-above/CI-below case (claim withheld on the CI lower bound even when the point estimate clears the threshold).
-- **Live trust path: sensing-server routes real frames through the governed `StreamingEngine` (parallel governed path with partial output gating).** Previously the live server ran only the *bare* `MultistaticFuser` (fused amplitudes, no trust control plane), while the privacy/provenance/witness engine (ADR-135..146) ran only on synthetic in-test frames — the gap called out in ADR-136 §8 and the beyond-SOTA system review. New `engine_bridge` module drives `StreamingEngine::process_cycle` from the server's live `NodeState` map (reusing the existing `NodeState → MultiBandCsiFrame` conversion), lazily wiring each node as a WorldGraph sensor and bounding belief growth via the retention cap; every *governed belief* carries evidence + model + calibration + privacy decision and a deterministic witness. **Honest scope:** the engine runs alongside (not instead of) the bare fusion path that feeds the live `SensingUpdate`. What its decision gates on the wire today: a cycle emitted at class `Restricted` (base mode or contradiction/mesh-risk demotion) suppresses the per-node raw amplitude vectors from the live publish — the same field mapping `wifi-densepose-bfld`'s privacy gate applies at `Restricted`; gating the remaining derived outputs (person count, classification, signal field) is tracked as a follow-up. Trust state is no longer write-only: the latest witness, effective privacy class, demotion flag, recalibration recommendation, and an engine-error counter are readable on `GET /api/v1/status`, and engine errors are counted + rate-limit logged instead of silently swallowed (`EngineBridge::observe_cycle`). Adds `wifi-densepose-engine/-worldgraph/-bfld/-geo` deps. Bridge tests cover witnessed belief with provenance, determinism, idempotent node registration, retention bound, privacy-mode propagation, trust-state recording, the error-counter path, and Restricted-class raw-output suppression.
-
-### Fixed
-- **`wifi-densepose-mat` standalone `--no-default-features` build (101 errors → 0).** `pub mod api` was unconditional while its only dependency, serde, is optional behind the `api` feature — so any build without default features failed with unresolved serde imports (masked in `--workspace` runs by feature unification). The `api` module and its `create_router`/`AppState` re-export are now `#[cfg(feature = "api")]`-gated (with docsrs annotations). All feature combos compile: bare `--no-default-features`, `--no-default-features --features api`, and full default (177 tests pass).
-- **WorldGraph no longer grows unboundedly under the live loop.** `StreamingEngine::process_cycle` appended one `SemanticState` belief per cycle with no eviction — ~1.7M nodes/day at 20 Hz (identified in `docs/research/ruview-beyond-sota/04-optimization-roadmap.md`). Added `WorldGraph::prune_semantic_states(max)` — deterministic eviction of the oldest beliefs by `(valid_from_unix_ms, id)`, structural nodes (rooms/zones/sensors/anchors/tracks/events) never eligible — and wired it into the engine after each belief append (`StreamingEngine::DEFAULT_SEMANTIC_RETENTION` = 7,200 ≈ 6 min at 20 Hz; tunable via `set_semantic_retention`). The WorldGraph holds *current* beliefs; durable history is the recorder's job, so no audit data is lost. 3 new tests (bounded growth end-to-end, oldest-only eviction, deterministic tie-break).
-- **ESP32 edge heart rate no longer stuck at ~45 BPM / dropping wildly — #987.** The on-device HR estimator (`edge_processing.c`, `0xC5110002`) reported ~45 BPM regardless of true heart rate (Apple-Watch ground truth 87 BPM read as ~45) and swung frame-to-frame. Two root causes: (1) a hardcoded `sample_rate = 10.0f` that became wrong after #985's self-ping raised the CSI callback rate to a variable ~13–19 Hz — BPM scales as `assumed/actual × true`, so 87 read ~45 and the reading swung as CSI yield fluctuated; (2) the zero-crossing estimator locked onto a breathing harmonic (a 0.25 Hz breathing fundamental puts its 3rd harmonic at ~0.74 Hz ≈ 44 BPM inside the HR band). Fix: measure the real sample rate from inter-frame timestamps (used for BPM conversion + biquad re-tuning on >15% drift); replace the HR zero-crossing with an autocorrelation estimator that rejects breathing harmonics (driven by a robust autocorr breathing period); median-13 smooth the output. Hardware A/B (fixed vs unmodified control board, both `edge_tier=2`): control pegged 40–49 BPM; fixed reaches the true 88–91 BPM (vs 87 GT) and holds a stable physiological value (spread 59→0 for a steady subject). Known limitation: heavy subject motion still degrades the estimate (motion gating is a follow-up).
-- **Person count no longer leaks up to 10 in heuristic mode — addresses #894.** `field_bridge::occupancy_or_fallback` returned the eigenvalue-based `FieldModel::estimate_occupancy` count **unbounded** (its internal ceiling is 10), while the sibling estimators on the same single-link data — the perturbation-energy fallback right below it and `score_to_person_count` — both cap at 3 ("1-3 for single ESP32"). On noisy / under-calibrated CSI the eigenvalue count inflated, producing the "10 persons reported when 1 present" symptom (seen when `--model` fails to load and the server runs on heuristics). Bounded the eigenvalue path to the shared `MAX_SINGLE_LINK_OCCUPANCY` (3) so every estimator on one link agrees; genuine higher counts come from the multistatic fusion path, not a single-link covariance estimate.
-- **MQTT multi-node deployments now create one Home-Assistant device per node — closes #898.** After the #872 MQTT wiring landed, the JSON→`VitalsSnapshot` bridge hard-coded a single `node_id` (the MQTT client id) and the publisher used a single `OwnedDiscoveryBuilder`, so every physical node collapsed into one device (`identifiers:["wifi_densepose_wifi-densepose-1"]`), contradicting the "one device per node" docs. The bridge now emits one snapshot per node in the sensing update's `nodes[]` (each with its own `node_id` + RSSI, falling back to a single aggregate snapshot for wifi/simulate sources), and the publisher derives a per-node builder (`OwnedDiscoveryBuilder::for_node`) that publishes discovery + availability lazily on first sight of each `node_id` and routes state to per-node topics — yielding N distinct HA devices with per-node availability/LWT. Unit-tested (distinct nodes → distinct `wifi_densepose_<node>` identifiers); 71 MQTT tests pass.
-- **Person count no longer pinned to 1 — addresses #803.** The aggregate occupancy reported by the sensing server was derived from `smoothed_person_score`, an EMA-smoothed *activity* score (amplitude variance / motion / spectral energy). That score saturates near a single occupant — one moving person maxes it out — so it cannot discriminate occupancy *count* and stayed clamped at 1 across S3/C6 and the Python/Docker/Rust servers. Meanwhile the count-aware per-node estimates the ESP32 paths already compute (firmware `n_persons`, and the DynamicMinCut `corr_persons`) were stashed in `NodeState::prev_person_count` and then **discarded** by the aggregator (same dead-wiring class as #872). The aggregator now takes `max(activity_count, node_max)` via a unit-tested `aggregate_person_count` helper, so a node positively estimating 2–3 occupants is surfaced instead of overwritten. The fix can only ever *raise* the count when a node reports more people, so the single-occupant case is provably never inflated (regression-guarded by test). **Second half:** the pure-CSI per-node path itself clamped its own estimate — the DynamicMinCut occupancy (`estimate_persons_from_correlation`, 0–3) was mapped to a score via `corr_persons / 3.0`, putting 2 people at 0.667, *just under* the 0.70 up-threshold of `score_to_person_count`, so the per-node count never climbed past 1 (so `node_max` was also stuck at 1 for CSI-only nodes). Replaced it with a threshold-aligned `corr_persons_to_score` mapping (1→0.40, 2→0.74, 3→0.96) whose steady state round-trips back to the same count through the EMA + hysteresis, while still gating transient noise. A convergence test replays the exact EMA loop to prove min-cut=2 now reports 2 (and documents that the old `/3.0` mapping reported 1). Full multi-person accuracy still depends on the underlying estimator quality; this removes the two server-side clamps that masked it. 586 sensing-server tests pass.
-- **MQTT publisher now actually runs (`--mqtt`) — closes #872.** The `--mqtt*` flags were defined only in `cli::Args` (dead code, referenced nowhere) while the binary parses a *separate* `main::Args` with no mqtt fields, and `main.rs` never started the `mqtt::` publisher — so MQTT/Home-Assistant integration was completely unwired (`--mqtt` errored as an unexpected argument, and even with the Docker image's `--features mqtt` build the publisher never ran). Earlier attempts chased a Docker *rebuild*; the real cause was disconnected *code*. Extracted the flags into a shared `cli::MqttArgs` (`#[command(flatten)]` into both structs), spawn the publisher on `--mqtt`, and bridge the JSON sensing broadcast into the typed `VitalsSnapshot` stream with a defensive `serde_json::Value` mapping. Verified end-to-end against `mosquitto`: 20 HA auto-discovery entities + live state (presence/person-count/…). 577 (default) / 580 (`--features mqtt`) tests pass.
-- **Mass Casualty triage never reports a survivor with a heartbeat as Deceased (safety) — PR #926.** Both triage paths in `wifi-densepose-mat` — `TriageCalculator::calculate` (`combine_assessments(Absent, None) ⇒ Deceased`) and the detection path `EnsembleClassifier::determine_triage` (`!has_breathing && !has_movement ⇒ Deceased`) — ignored the `heartbeat` field. A survivor with a detectable **pulse** but no sensed breathing/movement (respiratory arrest — the most time-critical *savable* state, Immediate/Red) was therefore reported **Deceased (Black)** and deprioritized for rescue. The domain path was in fact only reachable *because* a heartbeat made `has_vitals()` true, so every "Deceased" was a live person. Both paths now escalate to **Immediate** when a heartbeat is present; total absence of breathing, movement *and* heartbeat is unchanged (domain → `Unknown`, ensemble → `Deceased`). 2 safety regression tests; full MAT suite (177) green.
-- **Per-node Home-Assistant devices now report each node's *own* presence/motion — PR #918.** After the one-device-per-node fan-out landed, the MQTT bridge still applied the *room-level aggregate* `classification` to every node, so in a multi-node deployment a node watching an empty corner inherited another node's "present" (and `motion_level: "absent"` was mis-mapped to full motion). Each node in the broadcast `nodes[]` already carries its own `classification`; the bridge now reads it per node (extracted into a testable `vitals_snapshots_from_sensing_json`), keeping vitals + person count room-level. 4 unit tests.
-- **`--model` gives an actionable diagnostic instead of a cryptic magic error — PR #919 (refs #894).** Passing a HuggingFace `ruvnet/wifi-densepose-pretrained` file (`model.safetensors` / `model-q4.bin` / `model.rvf.jsonl`) to `--model` produced `invalid magic at offset 0: … got 0x77455735`, then a silent fall back to heuristics. The load-failure path now detects the format (safetensors / quantized blob / JSONL manifest) and explains that those files are a different format **and** encoder architecture than the RVF binary container the progressive loader expects, pointing to #894. Pure `diagnose_model_load_error` + 4 tests.
-- **`--export-rvf` no longer silently produces a placeholder model — PR #920.** The `--export-rvf` handler ran *before* `--train`/`--pretrain` and unconditionally wrote placeholder sine-wave weights, so the documented `--train … --export-rvf <path>` workflow short-circuited to a fake model and never trained (while printing "exported successfully"). It now emits the placeholder **container-format demo** only standalone (with a clear warning), and falls through to real training when `--train`/`--pretrain` is set; docs point to `--save-rvf` for the real model. 3 guard tests.
-
-### Added
-- **ADR-151 per-room calibration & specialist training — full `baseline → enroll → extract → train` pipeline (new `wifi-densepose-calibration` crate).** "Teach the room before you teach the model": a local-first pipeline that turns a few minutes of clean human anchors — layered on the ADR-135 empty-room baseline — into a versioned bank of small, room-calibrated specialists for **presence, posture, breathing, heartbeat, restlessness, and anomaly**. Stages: guided enrollment with an adaptive quality gate (event-sourced `EnrollmentSession`, re-prompts bad anchors); feature extraction (autocorrelation periodicity in breathing/HR bands + variance/motion); six small specialists (learned threshold / nearest-prototype / band-limited periodicity / novelty); a `SpecialistBank` with baseline-drift **STALE** invalidation; and a `MixtureOfSpecialists` runtime with presence short-circuit + anomaly veto + confidence gating. Specialists are statistical heads today (runnable + hardware-validated); the frozen ADR-150 HF RF Foundation Encoder backbone is the documented upgrade path.
-  - **CLI:** `enroll` / `train-room` / `room-status` / `room-watch`, plus the Stage-1 `calibrate-serve` HTTP API (CORS-enabled: `POST /start`, `GET /status`, `POST /stop`, `GET /result`, `GET /baselines`, `GET /health`) and a firewall-free `scripts/csi-udp-relay.py` for local Windows ESP32 testing without admin.
-  - **Multistatic fusion (ADR-029):** `MultiNodeMixture` fuses several co-located nodes (each with its own room-calibrated bank) into one room state — presence OR'd across nodes, posture/breathing/heartbeat from the highest-confidence node, a single implausible node vetoes the room's vitals. Driven via `room-watch --node-bank N:path` (repeatable), which groups live frames by `node_id` and fuses. Same-room only; cross-room is federation (ADR-105).
-  - **Validated on live ESP32-S3 (COM8, `edge_tier=0` raw CSI):** baseline capture (120 frames → 52-subcarrier baseline); the real parser → feature-extraction → mixture runtime detecting breathing (~16–31 BPM); and the multistatic ingest grouping/fusing by node-id end-to-end. Full multi-anchor enrollment accuracy requires the operator to perform the poses; true 2-node fusion + phase-based breathing + RVF/HNSW storage are noted follow-ups. 54 tests pass (35 calibration + 19 CLI).
-- **WiFi-CSI pose: efficiency frontier + per-room calibration service** (ADR-150 §3.2–3.6). Two beyond-SOTA results on the MM-Fi benchmark, plus the deployment mechanism that resolves real-world generalization:
-  - **Efficiency frontier** — a **75 K-param model beats published SOTA** (74.3% vs MultiFormer 72.25% torso-PCK@20); every config from `micro` up is Pareto-dominant (smaller *and* more accurate than prior work). Shipped a deployable **int4 edge model (~20 KB, verified 74.08%, 0.135 ms single-thread CPU)** — published at [`ruvnet/wifi-densepose-mmfi-pose/edge`](https://huggingface.co/ruvnet/wifi-densepose-mmfi-pose). See [`docs/benchmarks/wifi-pose-efficiency-frontier.md`](docs/benchmarks/wifi-pose-efficiency-frontier.md).
-  - **Generalization solved by few-shot calibration** — zero-shot cross-subject (~64%) and cross-environment (~10%) are *not* closeable by algorithms (CORAL, DANN, instance-norm, contrastive foundation-pretraining all tested, all failed) or by more training subjects (saturates ~64%). But **~100–200 labeled in-room samples recover SOTA-level pose**: cross-subject 64→76%, **cross-environment 10→73% (60% from just 5 samples)** — deployable as a **~11 KB per-room LoRA adapter** on a frozen shared base. Full empirical chain in ADR-150 §3.2–3.6.
-  - **Calibration service (complete, both model paths, cross-language verified)** — `aether-arena/calibration/`: `calibrate.py` (transformer model, `.npz` adapter) + `infer.py` (verified 3.09%→74.29% on an unseen MM-Fi room), **and `cog_calibrate.py`** which fits a `fc1.a/fc1.b/fc2.a/fc2.b` **safetensors** adapter for the deployed cog conv+MLP model (`pose_v1.safetensors`). Consumed by the Rust product engine: `InferenceEngine::with_adapter()` + `cog-pose-estimation run --config <cfg> --adapter <room.safetensors>`. Self-contained regression tests for both Python producers (`test_calibration.py`, `test_cog_calibration.py`) **plus a cross-language Rust integration test** that loads a real `cog_calibrate.py`-generated adapter fixture and asserts it activates + changes engine output. All green.
-- **Windows workspace build + test now green** (cross-platform fixes). `wifi-densepose-worldmodel` imported `tokio::net::UnixStream` unconditionally, so `cargo build/test --workspace` failed to compile on Windows (E0432) — now the OccWorld Unix-socket bridge is `#[cfg(unix)]`-gated with a clear non-unix fallback. And `wifi-densepose-bfld`'s `readme_quickstart_uses_canonical_public_api` test checked a multi-line `pipeline\n    .process` needle that never matched on a CRLF checkout — now normalizes line endings. Result: **2,682 workspace tests pass / 0 fail on Windows** (the pre-merge gate was previously unrunnable there).
-- **`ruview-swarm` crate (ADR-148)** — drone swarm control system with hierarchical-mesh topology, Raft consensus, MAPPO multi-agent reinforcement learning, and CSI sensing integration. 14 modules: topology (Raft/Gossip/Mesh), formation control (virtual-structure/leader-follower/Reynolds flocking), RRT-APF path planning, auction+FNN task allocation, MARL actor + PPO training loop, security (MAVLink v2 HMAC-SHA256 signing, UWB anti-spoofing, geofencing, Remote ID, FHSS anti-jamming), 10-state fail-safe machine, and SwarmOrchestrator. ITAR-gated coordination features (USML Category VIII(h)(12)) behind `itar-unrestricted` feature.
-- **Ruflo integration for `ruview-swarm`** — feature-gated (`ruflo`) AI-agent capability layer connecting to the claude-flow daemon: AgentDB mission memory (`memory_store`/`memory_search`), HNSW pattern learning (`agentdb_pattern-store`/`-search`), AIDefence MAVLink message scanning, and SONA intelligence trajectory hooks. `RufloBackend` trait with `HttpRufloBackend` (JSON-RPC 2.0) and `MockRufloBackend` implementations.
-
-### Performance
-- `ruview-swarm` benchmarks (criterion, release): MARL actor inference 3.3 µs, RRT-APF planning 0.043 ms, multi-view CSI fusion 58.5 ns, 3-view localization 1.732 m (beats Wi2SAR 5 m SOTA baseline), 4-drone SAR coverage 223 s for 400×400 m (under 240 s target).
-
-### Added
-- **ADR-147 — OccWorld world model integration** (`wifi-densepose-worldmodel` v0.3.0 published to crates.io). 15-frame trajectory prediction at 209 ms / 3.37 GB VRAM on RTX 5080. Phase 3 domain adapter `scripts/ruview_occ_dataset.py` (`RuViewOccDataset`) converts WorldGraph snapshots to OccWorld tensors with indoor class remapping + zero ego-poses (validated). Phase 5 retraining pipeline `scripts/occworld_retrain.py` — VQVAE + transformer fine-tuning on RuView occupancy snapshots. See [ADR-147](docs/adr/ADR-147-nvidia-cosmos-world-foundation-model-integration.md) · [benchmark proof](docs/adr/ADR-147-benchmark-proof.md).
-
-### Added
-- **ADR-125 (APPLE-FABRIC) — RuView ↔ Apple Home native HAP bridge proposal + reference impl** (issue #796). New ADR-125 lays out a three-phase plan to expose RuView as a discoverable HomeKit accessory on the LAN so a HomePod (as Home Hub) sees presence / vitals / BFLD-derived events natively — zero Home-Assistant intermediary. Two architectural decisions resolved in the ADR per design review: (1) **one HAP bridge with N child accessories** (single pairing, matches Hue/Eve pattern), and (2) **identity-risk mapping is semantic, not probabilistic** — `identity_risk_score` and Soul-Signature match probability never cross the HAP boundary; instead three thresholded events are exposed (`Unknown Presence`, `Unexpected Occupancy`, `Unrecognized Activity Pattern`) so RuView reads as calm-tech ambient awareness, not surveillance UX. ADR-125 §2.1.a reference impl ships now: `scripts/hap-test-sensor.py` (HAP-1.1 bridge advertised over mDNS, paired with operator's iPhone) + `scripts/c6-presence-watcher.py` (parses ESP32 `RV_FEATURE_STATE_MAGIC = 0xC5110006` UDP packets with IEEE CRC32 validation, hysteresis, and a Python port of `wifi-densepose-bfld::PrivacyClass` that enforces ADR-125 §2.1.d invariant I1 at the HomeKit edge — only `Anonymous` (2) and `Restricted` (3) frames may cross; `Raw`/`Derived` are refused with exit code 2 and the cited ADR clause). Validated end-to-end on real hardware (no mocks): ESP32-C6 on `ruv.net` → UDP/5005 → mac-mini watcher → BFLD gate → HAP bridge → iPhone Home app shows `Unknown Presence` live characteristic flip. **Empirical**: 50-51 valid CRC-passing feature_state packets per 10 s window from the live C6; zero CRC errors. P2 (Rust-native HAP via the `hap` crate, replaces the Python sidecar) and P3 (Matter Controller once `matter-rs` stabilizes) follow.
-
 ### Security
 - **ESP32 OTA upload now fails closed when no PSK is provisioned** (#596 audit finding — critical, **breaking change for unprovisioned nodes**). `ota_check_auth()` previously returned `true` when `s_ota_psk[0] == '\0'`, so a freshly-flashed node would accept attacker-controlled firmware over plain HTTP on port 8032 from any host on the WiFi. No Secure Boot V2, no signed-image verification — a single LAN call could brick or backdoor a node. The fix rejects every OTA upload until a PSK is written to NVS (the OTA HTTP server still starts so operators can run `provision.py --ota-psk <hex>` over USB-CDC without reflashing). **Operators affected**: any deployment that relied on the unauthenticated OTA endpoint working out of the box now needs to provision a PSK before subsequent OTA pushes will succeed. Boot-time `ESP_LOGW` makes the new posture visible.
-- **Bearer-token auth accepts the scheme case-insensitively (RFC 6750) — PR #929.** `require_bearer` parsed the `Authorization` header with a case-sensitive `strip_prefix("Bearer ")`, so a *correct* `RUVIEW_API_TOKEN` sent as `Authorization: bearer <token>` (or `BEARER`, or with extra whitespace) was rejected with a confusing 401 — needless friction when enabling auth. The scheme is now matched with `eq_ignore_ascii_case` (per RFC 6750 §2.1 / RFC 7235 §2.1); the token compare is unchanged — still exact and constant-time (`ct_eq`) — so a wrong token or a non-Bearer scheme (`Basic …`) still returns 401. Audited the surrounding code while here: `ct_eq` correctly rejects length mismatch (no prefix-auth bypass) and the middleware fails closed. New `accepts_case_insensitive_bearer_scheme` test.
 - **Path-traversal vulnerabilities patched in five sensing-server endpoints** (closes #615 — critical). New `wifi_densepose_sensing_server::path_safety::safe_id()` enforces `[A-Za-z0-9._-]` only (no leading `.`, max 64 chars) before any user-controlled identifier reaches a `format!()` building a filesystem path. Applied at:
   - `POST /api/v1/recording/start` (`recording.rs` — `session_name`)
   - `GET /api/v1/recording/download/:id` (`recording.rs` — `id`)
@@ -132,9 +62,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
   they can be reintroduced with a real implementation.
 
 ### Added
-- **BFLD — Beamforming Feedback Layer for Detection (ADR-118 umbrella + ADR-119 frame format + ADR-120 privacy class + ADR-121 identity risk scoring + ADR-122 RuView HA/Matter exposure + ADR-123 capture path, [#787](https://github.com/ruvnet/RuView/issues/787)).** New crate `wifi-densepose-bfld` (`v2/crates/wifi-densepose-bfld/`) — the privacy-gated WiFi sensing layer that detects when RF data crosses from "ambient sensing" into "identity record" and **structurally prevents** identity-correlated data from leaving the node. Three invariants enforced by the type system (not policy): **I1** raw BFI never exits the node (`Sink` marker-trait hierarchy + `PrivacyClass::Raw.allows_network() == false`), **I2** identity embedding is in-RAM-only (`IdentityEmbedding` has no `Serialize`/`Clone`/`Copy` + `Drop` zeroizes), **I3** cross-site identity correlation is cryptographically impossible (per-site BLAKE3-keyed `SignatureHasher` with daily epoch rotation; mean cross-site Hamming distance ≥120 bits across 100 trials). Ships the complete operator surface: `BfldPipeline` + `BfldPipelineHandle` (worker-thread variant + `spawn_with_oracle` for Soul Signature deployments), `BfldEvent` with JSON publishing (`"blake3:<hex>"` `rf_signature_hash` format per spec), 4 `privacy_class` levels (Raw/Derived/Anonymous/Restricted) with `PrivacyGate::demote` monotonic transformer + irreversible `apply_privacy_gating`, `CoherenceGate` with ±0.05 hysteresis + 5-second debounce + clock-skew resilience (saturating_sub), `SoulMatchOracle` Recalibrate-exemption trait for enrolled-person deployments. **MQTT/HA surface**: `mqtt_topics::render_events` + `publish_event` (class-gated topic routing — Raw/Derived publish 0 topics, Anonymous publishes 6, Restricted publishes 5 with `identity_risk` stripped), `ha_discovery::render_discovery_payloads` + `publish_discovery` (HA-DISCO config payloads with `availability_topic` integration), `availability` module (`online`/`offline` + LWT-aware `with_lwt` helper for `rumqttc::MqttOptions`), `RumqttPublisher` behind a `mqtt` feature gate with `connect_with_lwt` for broker-side auto-offline. **3 operator HA Blueprints** under `v2/crates/cog-ha-matter/blueprints/bfld/` (presence-driven-lighting, motion-aware-HVAC, identity-risk-anomaly-notification with rolling 7-day z-score). **Two runnable examples** (`bfld_minimal` for in-process consumers, `bfld_handle` for the production worker-thread + bootstrap-then-spawn pattern). **GitHub Actions CI workflow** (`.github/workflows/bfld-mqtt-integration.yml`) spins up `eclipse-mosquitto:2` as a service container so the env-gated `mosquitto_integration` and `rumqttc_lwt` tests run end-to-end in CI. **Performance**: `BfldFrame::to_bytes()` measured at **320,255 frames/sec** debug (6.4× ADR-119 AC7 release target of 50k), header-only at 1,654,517 frames/sec, presence-detection latency p95 = **0.9µs** (~1,000,000× under ADR-119 AC2's 1s target), 9.96 Hz motion-publish rate through `BfldPipelineHandle` (10× ADR-122 AC3 floor). **Coverage**: 327 tests at default features, 101 no_std-compatible, 220+ with `--features mqtt`. CRC-32/ISO-HDLC polynomial pinned against `"123456789" → 0xCBF43926`, public-API surface snapshot pinned across all `pub use` re-exports, `BfldError` Display contract pinned for log-grep monitoring rules, reserved-flag-bits forward-compat round-trip property, `apply_privacy_gating` irreversibility (5-cycle round-trip stress proves stripped fields never resurrect). Companion research dossier in `docs/research/BFLD/` (11 files, 13,544 words). 49-iter implementation chain from scaffold (`feat/adr-118/p1`, `c965e3e6c`) through current head with per-iter progress comments on issue [#787](https://github.com/ruvnet/RuView/issues/787). Try it: `cargo run -p wifi-densepose-bfld --example bfld_handle`.
-- **SENSE-BRIDGE — rvagent MCP server + ruvector npm + ruflo integration (ADR-124, [#787](https://github.com/ruvnet/RuView/issues/787)).** New npm package `@ruvnet/rvagent` (`tools/ruview-mcp/`) — a dual-transport [Model Context Protocol](https://modelcontextprotocol.io/) server that bridges the RuView WiFi-DensePose sensing stack to AI agents (Claude Code, Cursor, ruflo swarms). **6 of 20 ADR-124 §4.1 tools wired** in this initial release: `ruview.presence.now` (occupancy), `ruview.vitals.get_breathing` / `get_heart_rate` / `get_all` (biometric vitals via `EdgeVitalsMessage` surface, ADR-124 §6 Python ws.py:74-88 parity), `ruview.bfld.last_scan` (latest BFLD event — `identity_risk_score`, `privacy_class`, `n_frames`, `timestamp_ms`), `ruview.bfld.subscribe` (MQTT wildcard subscription with synthetic UUID envelope fallback). **Dual-transport architecture (ADR-124 §3)**: stdio (`npx @ruvnet/rvagent stdio` — recommended for Claude Code / Cursor local flow) + Streamable HTTP (`POST /mcp` bound to `127.0.0.1:3001` by default — for remote ruflo swarms across the Tailscale fleet). **Security model (ADR-124 §6)**: Origin header validation (cross-origin POST → 403), bearer-token auth slot (`RVAGENT_HTTP_TOKEN` → 401), bind default `127.0.0.1` per MCP spec requirement. **Uniform schema validation gate (ADR-124 §3)**: every `CallTool` request runs `zod.safeParse` via `TOOL_INPUT_SCHEMAS` before dispatch; failures throw `McpError(InvalidParams)`. **Full Zod schema barrel (ADR-124 §4.1 + §4.1a)**: `src/schemas/tools.ts` defines all 20 tool input schemas including the 5 RUVIEW-POLICY governance tools (can_access_vitals, can_query_presence, can_subscribe, redact_identity_fields, audit_log). **Python surface parity**: `EdgeVitalsMessage` TypeScript interface mirrors Python ws.py:74-88; ADR-124 §6 parity table drives the field names. **93 tests across 7 suites** (manifest, schemas, validate, tools, http-transport, bfld-tools, vitals-tools) — all green. Try it: `npx @ruvnet/rvagent stdio` (with `RUVIEW_SENSING_SERVER_URL=http://localhost:3000`).
-- **Home Assistant + Matter integration (ADR-115).** New `--mqtt` and `--matter` flags on `wifi-densepose-sensing-server` expose the full sensing capability set to any Home Assistant install via MQTT auto-discovery (HA-DISCO) and to any Matter controller (Apple Home / Google Home / Alexa / SmartThings) via a built-in Matter Bridge scaffolding (HA-FABRIC, SDK wiring v0.7.1). Includes 21 entity kinds per node — 11 raw signals + 10 inferred semantic primitives (HA-MIND: someone-sleeping, possible-distress, room-active, elderly-inactivity-anomaly, meeting, bathroom, fall-risk, bed-exit, no-movement, multi-room-transition). The semantic primitives run server-side so `--privacy-mode` strips HR/BR/pose values from the wire while still publishing the inferred *states* — the architectural win for healthcare and AAL deployments. Ships **8 starter HA Blueprints** under `examples/ha-blueprints/`, **3 drop-in Lovelace dashboards** under `examples/lovelace/` (including a privacy-mode-compatible healthcare care view), mTLS support, 32 KB payload-size cap, MQTT-wildcard topic-injection rejection, `RUVIEW_MQTT_STRICT_TLS=1` v0.8.0 upgrade path. **420 lib tests** cover the implementation including **~2,560 fuzzed assertions per CI run** (10 proptest cases across wire-boundary security + semantic-bus invariants). Plus mosquitto-backed integration tests in `.github/workflows/mqtt-integration.yml`, criterion benchmarks beating every ADR target by 1.6×–208×, and an ESP32-S3 hardware validation harness (`scripts/validate-esp32-mqtt.sh`) that asserts the full pipeline end-to-end with a witness bundle generator (`scripts/witness-adr-115.sh`) that self-verifies. See [`docs/releases/v0.7.0-mqtt-matter.md`](docs/releases/v0.7.0-mqtt-matter.md), [`docs/integrations/home-assistant.md`](docs/integrations/home-assistant.md), [`docs/integrations/semantic-primitives-metrics.md`](docs/integrations/semantic-primitives-metrics.md), [`docs/integrations/benchmarks.md`](docs/integrations/benchmarks.md), [`docs/adr/ADR-115-home-assistant-integration.md`](docs/adr/ADR-115-home-assistant-integration.md), tracking issue [#776](https://github.com/ruvnet/RuView/issues/776), PR [#778](https://github.com/ruvnet/RuView/pull/778). Matter SDK wiring (P8b) and CSA-certification path (P10) deferred to v0.7.1+ per ADR §9.10. Try it: `cargo run -p wifi-densepose-sensing-server --features mqtt --example mqtt_publisher -- --mqtt --mqtt-host 127.0.0.1`.
 - **ESP32-C6 firmware target with Wi-Fi 6 / 802.15.4 / TWT / LP-core support ([ADR-110](docs/adr/ADR-110-esp32-c6-firmware-extension.md), #762).** `firmware/esp32-csi-node` now builds for **both** `esp32s3` (existing production node) and `esp32c6` (new research/seed-node target) from the same source tree — pick via `idf.py set-target esp32c6` and ESP-IDF auto-applies the new `sdkconfig.defaults.esp32c6` overlay. Every C6 module is `#ifdef CONFIG_IDF_TARGET_ESP32C6` gated, so the S3 build is byte-identical to today (no regression).
   - **Wi-Fi 6 HE-LTF subcarrier tagging** — `csi_collector.c` now reads `rx_ctrl.cur_bb_format` and writes the PPDU type (0=HT/legacy, 1=HE-SU, 2=HE-MU, 3=HE-TB) into ADR-018 frame byte 18, plus bandwidth flags (20/40 MHz, STBC, 802.15.4-sync-valid) into byte 19. Bytes 18-19 were previously reserved-zero, so old aggregators read them as before — fully backwards compatible. Magic stays `0xC5110001`. Default on via `CONFIG_CSI_FRAME_HE_TAGGING`. First firmware in the open ESP32 ecosystem to tag CSI frames with 11ax PPDU metadata.
   - **802.15.4 mesh time-sync** — new `c6_timesync.{h,c}` (262 lines) provides cross-node clock alignment over the C6's separate 802.15.4 radio, freeing WiFi airtime from coordination traffic (directly addresses the ADR-029/030 multistatic synchronization gap). Protocol: lowest EUI-64 wins election, leader broadcasts `TS_BEACON` (`magic=0x54534D45`, leader epoch µs) every 100 ms on channel 15, followers compute `offset = leader_us - local_us` and apply lazily — every CSI frame is stamped with `c6_timesync_get_epoch_us()`. Target alignment ±100 µs. Default on via `CONFIG_C6_TIMESYNC_ENABLE`. Verified initializing at boot on COM6 (`c6_ts: init done: channel=15 EUI=206ef1fffefffe17 leader=yes(candidate)` at +413 ms).
@@ -476,7 +403,7 @@ Model release (no new firmware binary). Firmware remains at v0.6.0-esp32.
 - Security fix merged via PR #310.
 
 ### Performance
-- Presence detection: 100% accuracy on 60,630 overnight samples. *(Retracted — that recording was single-class (one sleeping person, 6,062/6,063 frames "present"), so a constant "yes" scores ~99.98%. Superseded by the honest 82.3% held-out temporal-triplet metric; see [#882](https://github.com/ruvnet/RuView/issues/882). Kept here as the in-place public record.)*
+- Presence detection: 100% accuracy on 60,630 overnight samples.
 - Inference: 0.008 ms per sample, 164K embeddings/sec.
 - Contrastive self-supervised training: 51.6% improvement over baseline.
 

CLAUDE.md

@@ -8,21 +8,19 @@ Dual codebase: Python v1 (`v1/`) and Rust port (`v2/`).
 | Crate | Description |
 |-------|-------------|
 | `wifi-densepose-core` | Core types, traits, error types, CSI frame primitives |
-| `wifi-densepose-signal` | SOTA signal processing + RuvSense multistatic sensing (16 modules) |
+| `wifi-densepose-signal` | SOTA signal processing + RuvSense multistatic sensing (14 modules) |
 | `wifi-densepose-nn` | Neural network inference (ONNX, PyTorch, Candle backends) |
-| `wifi-densepose-train` | Training pipeline with ruvector integration + ruview_metrics; MAE pretraining recipe (`mae.rs`, ADR-152 §2.3) + WiFlow-STD port (`wiflow_std/`, tch-gated) |
+| `wifi-densepose-train` | Training pipeline with ruvector integration + ruview_metrics |
 | `wifi-densepose-mat` | Mass Casualty Assessment Tool — disaster survivor detection |
-| `wifi-densepose-hardware` | ESP32 aggregator, TDM protocol, channel hopping firmware; `ieee80211bf/` 802.11bf forward-compat protocol model (ADR-153) |
+| `wifi-densepose-hardware` | ESP32 aggregator, TDM protocol, channel hopping firmware |
 | `wifi-densepose-ruvector` | RuVector v2.0.4 integration + cross-viewpoint fusion (5 modules) |
 | `wifi-densepose-wasm` | WebAssembly bindings for browser deployment |
-| `wifi-densepose-cli` | CLI tool (`wifi-densepose` binary) — `calibrate`/`calibrate-serve`/`enroll`/`train-room`/`room-watch` + MAT (MAT gated behind the `mat` feature; build `--no-default-features` for the aarch64/appliance calibration binary) |
-| `wifi-densepose-calibration` | ADR-151 per-room calibration & specialist training — `baseline → enroll → extract → train` → bank of small specialists (presence/posture/breathing/heartbeat/restlessness/anomaly) + multistatic fusion; pure Rust, edge-deployable |
+| `wifi-densepose-cli` | CLI tool (`wifi-densepose` binary) |
 | `wifi-densepose-sensing-server` | Lightweight Axum server for WiFi sensing UI |
 | `wifi-densepose-wifiscan` | Multi-BSSID WiFi scanning (ADR-022) |
 | `wifi-densepose-vitals` | ESP32 CSI-grade vital sign extraction (ADR-021) |
 | `nvsim` | Deterministic NV-diamond magnetometer pipeline simulator (ADR-089) — standalone leaf, WASM-ready |
 | `vendor/rvcsi` (submodule) | **rvCSI** — edge RF sensing runtime (ADR-095/096): 9 crates (`rvcsi-core`/`-dsp`/`-events`/`-adapter-file`/`-adapter-nexmon`/`-ruvector`/`-runtime`/`-node`/`-cli`). Lives in its own repo ([github.com/ruvnet/rvcsi](https://github.com/ruvnet/rvcsi)), vendored here under `vendor/rvcsi`, published to crates.io as `rvcsi-* 0.3.x` and to npm as `@ruv/rvcsi`. Not a `v2/` workspace member — depend on the published crates (or the submodule's `crates/rvcsi-*` paths). Normalized `CsiFrame`/`CsiWindow`/`CsiEvent` schema, validate-before-FFI, reusable DSP, typed confidence-scored events, the napi-c Nexmon shim (real nexmon_csi `.pcap` from a Raspberry Pi 5 / 4 / 3B+ — BCM43455c0), the napi-rs SDK, the `rvcsi` CLI, a Claude Code plugin. |
-| `ruview-swarm` | Drone swarm control system (ADR-148) — hierarchical-mesh topology, Raft consensus, MARL, CSI sensing payload, MAVLink/PX4 compat, Ruflo AI-agent integration |
 
 ### RuvSense Modules (`signal/src/ruvsense/`)
 | Module | Purpose |
@@ -40,8 +38,6 @@ Dual codebase: Python v1 (`v1/`) and Rust port (`v2/`).
 | `cross_room.rs` | Environment fingerprinting, transition graph |
 | `gesture.rs` | DTW template matching gesture classifier |
 | `adversarial.rs` | Physically impossible signal detection, multi-link consistency |
-| `cir.rs` | ADR-134 CSI→CIR via ISTA L1 sparse recovery (NeumannSolver warm-start) |
-| `calibration.rs` | ADR-135 empty-room baseline (Welford amplitude + von Mises phase, drift trigger) |
 
 ### Cross-Viewpoint Fusion (`ruvector/src/viewpoint/`)
 | Module | Purpose |
@@ -72,17 +68,14 @@ All 5 ruvector crates integrated in workspace:
 - ADR-030: RuvSense persistent field model (Proposed)
 - ADR-031: RuView sensing-first RF mode (Proposed)
 - ADR-032: Multistatic mesh security hardening (Proposed)
-- ADR-148: Drone swarm control system / `ruview-swarm` (In Progress)
-- ADR-152: WiFi-Pose SOTA 2026 intake — geometry conditioning, WiFlow-STD benchmark (measurement (a) complete: claims MEASURED-EQUIVALENT at ~96% PCK@20), MAE recipe (Proposed; §2.1–2.3, 2.6 implemented)
-- ADR-153: IEEE 802.11bf-2025 forward-compatibility protocol model (Accepted — amends ADR-152 §2.4)
 
 ### Supported Hardware
 
 | Device | Port | Chip | Role | Cost |
 |--------|------|------|------|------|
-| ESP32-S3 (8MB flash) | COM9 (ruvzen, was COM7) | Xtensa dual-core | WiFi CSI sensing node | ~$9 |
+| ESP32-S3 (8MB flash) | COM7 | Xtensa dual-core | WiFi CSI sensing node | ~$9 |
 | ESP32-S3 SuperMini (4MB) | — | Xtensa dual-core | WiFi CSI (compact) | ~$6 |
-| ESP32-C6 + Seeed MR60BHA2 | COM12 (ruvzen, was COM4) | RISC-V + 60 GHz FMCW | mmWave HR/BR/presence + WiFi CSI | ~$15 |
+| ESP32-C6 + Seeed MR60BHA2 | COM4 | RISC-V + 60 GHz FMCW | mmWave HR/BR/presence | ~$15 |
 | HLK-LD2410 | — | 24 GHz FMCW | Presence + distance | ~$3 |
 
 **Not supported:** ESP32 (original), ESP32-C3 — single-core, can't run CSI DSP pipeline.

PROOF.md

@@ -1,75 +0,0 @@
-# PROOF — reproduce every claim, or find the one we can't yet
-
-This project (RuView / wifi-densepose) has been publicly called "AI slop" and
-"fake." This document is the answer: **a skeptic can clone the repo, run one
-script, and have every headline claim either verified on their own machine or
-shown — explicitly — as "CLAIMED, not yet reproduced (here's exactly what it
-needs)."** Nothing below is asserted without a command you can run.
-
-```bash
-git clone https://github.com/ruvnet/RuView && cd RuView
-bash scripts/prove.sh          # core gate + the anti-slop assertion tests
-bash scripts/prove.sh --full   # also attempt the feature-gated subset
-```
-
-`prove.sh` exits 0 only if every **non-gated** claim passes. Gated claims never
-fail the run; they print the prerequisite (a GPU, a dataset, real hardware, a
-trained checkpoint) so you can reproduce them yourself.
-
-## Grading
-
-- **MEASURED** — reproduced on our hardware, with the exact command recorded, and
-  pinned by a test that *fails on the pre-fix code*. `prove.sh` re-runs these.
-- **CLAIMED** — cited from a source, or measured by the source, but not
-  reproduced in this repo's automated harness.
-- **DATA-GATED / HARDWARE-GATED** — the *code path* is real and tested, but the
-  *accuracy/throughput claim* needs data or hardware we don't ship. We never
-  fabricate the number; the code carries a typed error or a `weights_trained`/
-  provenance flag instead.
-
-## The hard gate (run on any machine with Rust + Python)
-
-| Claim | Grade | Reproduce |
-|---|---|---|
-| Rust workspace: 3,128 tests, 0 failed | **MEASURED** | `cd v2 && cargo test --workspace --no-default-features` |
-| Deterministic CSI pipeline proof (bit-exact SHA-256) | **MEASURED** | `python archive/v1/data/proof/verify.py` → `VERDICT: PASS` |
-
-## Anti-slop assertion tests (each fails on the pre-fix code)
-
-| Claim | Grade | Test (run via `cargo test -p <crate> <name>`) |
-|---|---|---|
-| Fusion crafted-input DoS panics are closed (ADR-156 §2.2) | **MEASURED** | `wifi-densepose-ruvector :: triangulation_out_of_range_index_returns_none_no_panic` |
-| **The "Soul Signature" identity claim, honestly bounded:** on WiFi-only cardiac+respiratory channels two people are **not separable** (gap ≈ 0.0005) | **MEASURED** | `wifi-densepose-bfld :: cardiac_alone_cannot_separate_identity_matches_audit` |
-| OccWorld `predict()` is real (input-dependent), not random noise | **MEASURED** | `wifi-densepose-occworld-candle :: predict_is_deterministic_for_same_input` |
-| Pose runtime emits frames under its own default config (ADR-159 A1) | **MEASURED** | `cog-pose-estimation :: default_config_emits_frames_with_real_model` |
-| Person-count flags untrained classes — no count inflation (ADR-159 A2) | **MEASURED** | `cog-person-count :: untrained_class_argmax_is_flagged_low_confidence` |
-| Medical edge skills carry a "not a medical device" disclaimer (ADR-160 A1) | **MEASURED** | `wifi-densepose-wasm-edge :: a1_med_modules_have_clinical_disclaimer` (`--features std`) |
-| Survivor dedup 3→1, count-inflation killed (ADR-158 §2) | **MEASURED** | `wifi-densepose-mat :: test_identical_vitals_no_location_dedup_to_one` (`--features mat`) |
-
-## Measured performance (criterion; reproduce on your machine)
-
-| Claim | Grade | Reproduce |
-|---|---|---|
-| PSD FFT-planner cache 2.0–3.1×, DTW band 2.4–4.1× (ADR-154) | **MEASURED** | `cd v2 && cargo bench -p wifi-densepose-signal` |
-| fuse() double-clone removed ~2.17× marshalling (ADR-156) | **MEASURED** | `cd v2 && cargo bench -p wifi-densepose-ruvector --bench fusion_bench` |
-| zero-copy ORT input ~1.48× (ADR-155) | **MEASURED** | `cd v2 && cargo bench -p wifi-densepose-nn --features onnx --bench onnx_bench` |
-| pointcloud splats 9→2 passes ~1.24× (ADR-160 research) | **MEASURED** | `cd v2 && cargo bench -p wifi-densepose-pointcloud --bench splats_bench` |
-| native wlanapi multi-BSSID scan 9.74 Hz (vs netsh ~2 Hz) | **MEASURED (Windows)** | `cd v2 && cargo test -p wifi-densepose-wifiscan -- --ignored measure_native_scan_rate` |
-
-## What we do NOT claim (the honest negatives — the strongest anti-slop signal)
-
-| Capability | Status |
-|---|---|
-| **Named person-identity from WiFi** | **NOT achieved, and measured why.** The §3.6 matcher is real, but identity does not lock on WiFi-only channels (gap 0.0005). DATA-GATED on a real enrollment feeding the AETHER/body-resonance channel — never done. No named-identity claim is made. |
-| WiFlow-STD ~96% PCK@20 | **CLAIMED-reproduced** on our RTX 5080 (`benchmarks/wiflow-std/RESULTS.md`); HARDWARE-GATED for you (needs an NVIDIA GPU + the MM-Fi dataset). The upstream *shipped checkpoint* was **REFUTED** (0.08% PCK) — we publish that. |
-| OccWorld trajectory accuracy | DATA-GATED on a trained checkpoint; `predict()` carries `weights_trained=false` until one is loaded — never silently faked. |
-| Edge-skill detection accuracy (seizure, weapon, affect, …) | UNVALIDATED — every such module is now disclaimer-gated as experimental/research; the DSP is real, the accuracy is not claimed. |
-| 802.11bf-2025 OTA conformance | No commodity silicon ships a conformant interface as of 2026; ours is a simulation-tested forward-compat protocol model, not a certified implementation. |
-
-## Provenance
-
-Every claim above traces to a committed ADR (`docs/adr/ADR-154`…`ADR-160`), a
-test, a criterion bench, or `benchmarks/wiflow-std/RESULTS.md`. The history
-includes published **retractions** (the 92.9% PCK retraction; the WiFlow-STD
-shipped-checkpoint refutation; the NV-diamond BOM reality check) — a faker hides
-failures; we commit them.

README.md

@@ -11,16 +11,17 @@
   </a>
 </p>
 
+> **Beta Software** — Under active development. APIs and firmware may change. Known limitations:
+> - ESP32-C3 and original ESP32 are not supported (single-core, insufficient for CSI DSP)
+> - Single ESP32 deployments have limited spatial resolution — use 2+ nodes or add a [Cognitum Seed](https://cognitum.one) for best results
+> - Camera-free pose accuracy is limited (PCK@20 ≈ 2.5% with proxy labels) — [camera ground-truth training](docs/adr/ADR-079-camera-ground-truth-training.md) targets **35%+ PCK@20**; the pipeline is implemented, but the data-collection and evaluation phases (ADR-079 P7–P9) are still pending, so no measured camera-supervised PCK@20 has been published yet
+>
+> Contributions and bug reports welcome at [Issues](https://github.com/ruvnet/RuView/issues).
+
 ## **See through walls with WiFi** ##
 
 **Turn ordinary WiFi into a spatial intelligence / sensing system.** Detect people, measure breathing and heart rate, track movement, and monitor rooms — through walls, in the dark, with no cameras or wearables. Just physics.
 
-Works natively with the four major smart-home ecosystems: **[Home Assistant](docs/integrations/home-assistant.md)** via the HA-DISCO MQTT publisher, **[Apple Home & HomePod](docs/user-guide-apple-homepod.md)** as a discoverable HAP-1.1 bridge, **[Google Home](docs/integrations/home-assistant.md)** + **[Amazon Alexa](docs/integrations/home-assistant.md)** via the same HA bridge or a [Matter](docs/adr/ADR-122-bfld-ruview-ha-matter-exposure.md) endpoint. Siri, Google Assistant, and Alexa can voice presence and vitals by room with zero custom skills.
-
-[![Works with Home Assistant](https://img.shields.io/badge/Works%20with-Home%20Assistant-blue?logo=home-assistant&logoColor=white&labelColor=41BDF5)](docs/integrations/home-assistant.md) [![Works with Matter](https://img.shields.io/badge/Works%20with-Matter-blue?labelColor=4285F4)](docs/adr/ADR-122-bfld-ruview-ha-matter-exposure.md) [![Works with Apple Home](https://img.shields.io/badge/Works%20with-Apple%20Home-black?logo=apple)](docs/user-guide-apple-homepod.md) [![Works with Google Home](https://img.shields.io/badge/Works%20with-Google%20Home-blue?logo=googlehome)](docs/integrations/home-assistant.md) [![Works with Alexa](https://img.shields.io/badge/Works%20with-Alexa-blue?logo=amazon&logoColor=white&labelColor=00CAFF)](docs/integrations/home-assistant.md)
-
-> Drop into any **Home Assistant** install with one `--mqtt` flag. Or pair into **Apple Home / Google Home / Alexa / SmartThings** as a Matter Bridge. Ships 21 entities per node (11 raw signals + 10 inferred semantic states: someone-sleeping, possible-distress, room-active, elderly-inactivity-anomaly, meeting-in-progress, bathroom-occupied, fall-risk-elevated, bed-exit, no-movement, multi-room-transition) plus 3 starter HA Blueprints. See [`docs/integrations/home-assistant.md`](docs/integrations/home-assistant.md) · [ADR-115](docs/adr/ADR-115-home-assistant-integration.md).
-
 ### π RuView is a WiFi sensing platform that turns radio signals into spatial intelligence.
 
 Every WiFi router already fills your space with radio waves. When people move, breathe, or even sit still, they disturb those waves in measurable ways. RuView captures these disturbances using Channel State Information (CSI) from low-cost ESP32 sensors and turns them into actionable data: who's there, what they're doing, and whether they're okay.
@@ -36,7 +37,7 @@ Built on [RuVector](https://github.com/ruvnet/ruvector/) and [Cognitum Seed](htt
 
 The system learns each environment locally using spiking neural networks that adapt in under 30 seconds, with multi-frequency mesh scanning across 6 WiFi channels that uses your neighbors' routers as free radar illuminators. Every measurement is cryptographically attested via an Ed25519 witness chain.
 
-RuView turns ordinary WiFi into a contactless sensor. A $9 ESP32 board reads the radio reflections off the people in a room, and a small pretrained model — published on Hugging Face at [`ruvnet/wifi-densepose-pretrained`](https://huggingface.co/ruvnet/wifi-densepose-pretrained) — tells you who's there, how they're breathing, and how their heart rate is trending. The model fits in 8 KB (4-bit quantized) and runs in microseconds on a Raspberry Pi. (The [v2 encoder](https://huggingface.co/ruvnet/wifi-densepose-pretrained) reports an honest, label-free held-out **temporal-triplet accuracy of 82.3%** — up from 66.4% raw; the older "100% presence" figure was measured on a single-class recording and has been retracted in favor of this.) No cameras, no wearables, no app on the user's phone.
+RuView turns ordinary WiFi into a contactless sensor. A $9 ESP32 board reads the radio reflections off the people in a room, and a small pretrained model — published on Hugging Face at [`ruvnet/wifi-densepose-pretrained`](https://huggingface.co/ruvnet/wifi-densepose-pretrained) — tells you who's there, how they're breathing, and how their heart rate is trending. The model fits in 8 KB (4-bit quantized), runs in microseconds on a Raspberry Pi, and reports 100% presence accuracy on the validation set. No cameras, no wearables, no app on the user's phone.
 
 ### Built for low-power edge applications
 
@@ -56,13 +57,12 @@ RuView turns ordinary WiFi into a contactless sensor. A $9 ESP32 board reads the
 > |------|-----|---------------|
 > | 🫁 **Breathing rate** | Bandpass 0.1–0.5 Hz on wrapped phase, circular variance, zero-crossing BPM ([#593](https://github.com/ruvnet/RuView/issues/593)) | 6–30 BPM, real-time |
 > | 💓 **Heart rate** | Bandpass 0.8–2.0 Hz, zero-crossing BPM | 40–120 BPM, real-time |
-> | 👤 **Presence detection** | Trained head on Hugging Face ([`ruvnet/wifi-densepose-pretrained`](https://huggingface.co/ruvnet/wifi-densepose-pretrained); v2 encoder = 82.3% held-out temporal-triplet acc, honestly re-benchmarked) + a phase-variance fallback that needs no model | < 1 ms, ~30 s ambient calibration |
+> | 👤 **Presence detection** | Trained head on Hugging Face ([`ruvnet/wifi-densepose-pretrained`](https://huggingface.co/ruvnet/wifi-densepose-pretrained), 100% validation accuracy) + a phase-variance fallback that needs no model | < 1 ms, ~30 s ambient calibration |
 > | 🧬 **CSI embeddings** | 128-dim contrastive encoder shipped on Hugging Face, 4-bit quantised variant fits in 8 KB | **164,183 emb/s** on M4 Pro |
-> | 🦴 **17-keypoint pose estimation** | `cog-pose-estimation` Cog v0.0.1 — signed aarch64 + x86_64 binaries on GCS, loads `pose_v1.safetensors` via Candle. Train your own from paired data in 2.1 s on an RTX 5080 ([ADR-101](docs/adr/ADR-101-pose-estimation-cog.md), [benchmarks](docs/benchmarks/pose-estimation-cog.md)). **SOTA on MM-Fi:** [`ruvnet/wifi-densepose-mmfi-pose`](https://huggingface.co/ruvnet/wifi-densepose-mmfi-pose) hits **82.69% torso-PCK@20** (ensemble 83.59%), beating MultiFormer (72.25%) and CSI2Pose (68.41%) on the matched MM-Fi `random_split` protocol — self-corrected and auditable on [AetherArena](https://huggingface.co/spaces/ruvnet/aether-arena) | 8.4 ms cold-start on a Pi 5 |
+> | 🦴 **17-keypoint pose estimation** | `cog-pose-estimation` Cog v0.0.1 — signed aarch64 + x86_64 binaries on GCS, loads `pose_v1.safetensors` via Candle. Train your own from paired data in 2.1 s on an RTX 5080 ([ADR-101](docs/adr/ADR-101-pose-estimation-cog.md), [benchmarks](docs/benchmarks/pose-estimation-cog.md)) | 8.4 ms cold-start on a Pi 5 |
 > | 🚶 **Motion / activity** | Motion-band power + phase acceleration | Real-time |
 > | 🤸 **Fall detection** | Phase-acceleration threshold + 3-frame debounce + 5 s cooldown ([#263](https://github.com/ruvnet/RuView/issues/263)) | < 200 ms |
 > | 🧮 **Multi-person count** | Adaptive P95 normalisation + runtime-tunable dedup factor (`/api/v1/config/dedup-factor`, [#491](https://github.com/ruvnet/RuView/pull/491)). Six specialised learned counters available as Cogs: `occupancy-zones`, `elevator-count`, `queue-length`, `customer-flow`, `clean-room`, `person-matching` | Real-time, self-calibrating |
-> | 🌍 **World model prediction** | OccWorld TransVQVAE — 15-frame future occupancy prediction, 209 ms inference, 3.4 GB VRAM on RTX 5080; fine-tune on your space with `occworld_retrain.py` ([ADR-147](docs/adr/ADR-147-nvidia-cosmos-world-foundation-model-integration.md)) | 15 frames × 200×200×16 vox |
 > | 🧱 **Through-wall sensing** | Fresnel-zone geometry + multipath modeling | Up to ~5 m, signal-dependent |
 > | 🧠 **Edge intelligence** | **105-cog catalog** ([ADR-102](docs/adr/ADR-102-edge-module-registry.md)) live from `app-registry.json` — health, security, building, retail, industrial, research, AI, swarm, signal, network, and developer modules. Optional Cognitum Seed adds persistent vector store + kNN + witness chain | $140 total BOM |
 > | 🎯 **Camera-free pre-training** | Self-supervised contrastive encoder, 12.2M training steps on 60K frames, shipped on Hugging Face | 84 s/epoch retrain on M4 Pro |
@@ -107,20 +107,8 @@ idf.py -p COM6 flash
 node scripts/rf-scan.js --port 5006           # Live RF room scan
 node scripts/snn-csi-processor.js --port 5006  # SNN real-time learning
 node scripts/mincut-person-counter.js --port 5006  # Correct person counting
-
-# Option 4: Python — live on PyPI (ADR-117)
-pip install ruview                        # or: pip install wifi-densepose
-# Both ship the same compiled PyO3 wheel (~250 KB, abi3-py310, Linux/macOS/Windows).
-# Add [client] for the asyncio WebSocket + paho-mqtt clients:
-pip install "ruview[client]"              # or: pip install "wifi-densepose[client]"
-
-# from ruview import BreathingExtractor, HeartRateExtractor   # equivalent to:
-# from wifi_densepose import BreathingExtractor, HeartRateExtractor
-# from ruview.client import SensingClient, RuViewMqttClient
 ```
 
-[![PyPI ruview](https://img.shields.io/pypi/v/ruview?label=ruview)](https://pypi.org/project/ruview/) [![PyPI wifi-densepose](https://img.shields.io/pypi/v/wifi-densepose?label=wifi-densepose)](https://pypi.org/project/wifi-densepose/)
-
 > [!NOTE]
 > **CSI-capable hardware recommended.** Presence, vital signs, through-wall sensing, and all advanced capabilities require Channel State Information (CSI) from an ESP32-S3 ($9) or research NIC. The Docker image runs with simulated data for evaluation. Consumer WiFi laptops provide RSSI-only presence detection.
 
@@ -162,7 +150,7 @@ pip install "ruview[client]"              # or: pip install "wifi-densepose[clie
 
 ## 🤗 Pretrained model on Hugging Face
 
-Pretrained CSI weights live at [`ruvnet/wifi-densepose-pretrained`](https://huggingface.co/ruvnet/wifi-densepose-pretrained) — 12.2M training steps on 60K frames / 610K contrastive triplets, **82.3% held-out temporal-triplet accuracy** (up from 66.4% raw; the older "100% presence" figure was measured on a single-class recording and has been retracted), 4-bit quantized variant fits in 8 KB. The release includes a contrastive **CSI encoder** producing 128-dim embeddings (164,183 emb/s on M4 Pro) and a **presence-detection head**. Per-node LoRA adapters are included for environment-specific fine-tuning.
+Pretrained CSI weights live at [`ruvnet/wifi-densepose-pretrained`](https://huggingface.co/ruvnet/wifi-densepose-pretrained) — 12.2M training steps on 60K frames / 610K contrastive triplets, **100% presence accuracy** on the validation set, 4-bit quantized variant fits in 8 KB. The release includes a contrastive **CSI encoder** producing 128-dim embeddings (164,183 emb/s on M4 Pro) and a **presence-detection head**. Per-node LoRA adapters are included for environment-specific fine-tuning.
 
 ```bash
 # Download the model bundle
@@ -182,27 +170,7 @@ huggingface-cli download ruvnet/wifi-densepose-pretrained --local-dir models/wif
 
 **Quantization choices** (all in the HF repo): `model-q2.bin` (4 KB) · `model-q4.bin` ⭐ recommended (8 KB) · `model-q8.bin` (16 KB) · `model.safetensors` full (48 KB)
 
-The separate **17-keypoint pose-estimation model** is now published at [`ruvnet/wifi-densepose-mmfi-pose`](https://huggingface.co/ruvnet/wifi-densepose-mmfi-pose) — **82.69% torso-PCK@20** on MM-Fi (single model) / **83.59%** (3-model ensemble + TTA), beating the prior published SOTA MultiFormer (72.25%) and CSI2Pose (68.41%) on the matched `random_split` protocol. See **Results & proof** below.
-
-### Results & proof
-
-| What | Where | Numbers |
-|------|-------|---------|
-| **MM-Fi pose model (SOTA)** | [`ruvnet/wifi-densepose-mmfi-pose`](https://huggingface.co/ruvnet/wifi-densepose-mmfi-pose) | 82.69% torso-PCK@20 (single) · 83.59% (ensemble+TTA) · 75K-param micro variant 74.30% |
-| **AetherArena benchmark Space** | [`ruvnet/aether-arena`](https://huggingface.co/spaces/ruvnet/aether-arena) | self-correcting, auditable MM-Fi leaderboard |
-| **Full MM-Fi study (honest picture)** | [`docs/benchmarks/mmfi-wifi-sensing-study.md`](docs/benchmarks/mmfi-wifi-sensing-study.md) | pose + action; zero-shot cross-subject ~64%, +~30 s in-room calibration → 72.2% |
-| **Efficiency frontier** | [`docs/benchmarks/wifi-pose-efficiency-frontier.md`](docs/benchmarks/wifi-pose-efficiency-frontier.md) | SOTA-beating WiFi pose in a 20 KB int4 edge model |
-| **Pretrained encoder** | [`ruvnet/wifi-densepose-pretrained`](https://huggingface.co/ruvnet/wifi-densepose-pretrained) | 82.3% held-out temporal-triplet, 8 KB int4 |
-| **Reproducible proof (Trust Kill Switch)** | [`archive/v1/data/proof/verify.py`](archive/v1/data/proof/verify.py) + [`expected_features.sha256`](archive/v1/data/proof/expected_features.sha256) | one-command deterministic pipeline replay (SHA-256 of output vs published hash) |
-| **Benchmark-proof ADR** | [ADR-147](docs/adr/ADR-147-benchmark-proof.md) | how the numbers are produced and verified |
-| **Witness attestation** | [`docs/WITNESS-LOG-028.md`](docs/WITNESS-LOG-028.md) | 33-row capability attestation matrix with per-claim evidence |
-
-```bash
-# Reproduce the deterministic pipeline proof yourself (must print VERDICT: PASS):
-python archive/v1/data/proof/verify.py
-```
-
-Tracked in [#509](https://github.com/ruvnet/RuView/issues/509); see [ADR-079](docs/adr/ADR-079-camera-supervised-pose-finetune.md) phases P7–P9 for the camera-supervised fine-tune path.
+The separate **17-keypoint pose-estimation model** is not in this release — pipeline is implemented but keypoint weights are still pending. Tracked in [#509](https://github.com/ruvnet/RuView/issues/509); see [ADR-079](docs/adr/ADR-079-camera-supervised-pose-finetune.md) phases P7–P9.
 
 
 ## 🧩 Edge Module Catalog
@@ -501,7 +469,7 @@ Every WiFi signal that passes through a room creates a unique fingerprint of tha
 **What it does in plain terms:**
 - Turns any WiFi signal into a 128-number "fingerprint" that uniquely describes what's happening in a room
 - Learns entirely on its own from raw WiFi data — no cameras, no labeling, no human supervision needed
-- Recognizes rooms, detects intruders, and classifies activities using only WiFi (named person-identity is an experimental, data-gated research capability — see below, not a shipped feature)
+- Recognizes rooms, detects intruders, identifies people, and classifies activities using only WiFi
 - Runs on an $8 ESP32 chip (the entire model fits in 55 KB of memory)
 - Produces both body pose tracking AND environment fingerprints in a single computation
 
@@ -512,7 +480,7 @@ Every WiFi signal that passes through a room creates a unique fingerprint of tha
 | **Self-supervised learning** | The model watches WiFi signals and teaches itself what "similar" and "different" look like, without any human-labeled data | Deploy anywhere — just plug in a WiFi sensor and wait 10 minutes |
 | **Room identification** | Each room produces a distinct WiFi fingerprint pattern | Know which room someone is in without GPS or beacons |
 | **Anomaly detection** | An unexpected person or event creates a fingerprint that doesn't match anything seen before | Automatic intrusion and fall detection as a free byproduct |
-| **Person re-identification** *(experimental, research)* | A real per-channel similarity matcher (Soul Signature §3.6, `wifi-densepose-bfld`); **measured** result: on WiFi-only cardiac+respiratory channels alone two people are *not* separable (gap ~0.0005) | Honest research capability — **named identity is not claimed** and is data-gated on enrollment with the decisive AETHER/body-resonance channel. See [#1021](https://github.com/ruvnet/RuView/issues/1021) |
+| **Person re-identification** | Each person disturbs WiFi in a slightly different way, creating a personal signature | Track individuals across sessions without cameras |
 | **Environment adaptation** | MicroLoRA adapters (1,792 parameters per room) fine-tune the model for each new space | Adapts to a new room with minimal data — 93% less than retraining from scratch |
 | **Memory preservation** | EWC++ regularization remembers what was learned during pretraining | Switching to a new task doesn't erase prior knowledge |
 | **Hard-negative mining** | Training focuses on the most confusing examples to learn faster | Better accuracy with the same amount of training data |
@@ -609,30 +577,16 @@ Verify the plugin structure: `bash plugins/ruview/scripts/smoke.sh`. Full detail
 |----------|-------------|
 | [User Guide](docs/user-guide.md) | Step-by-step guide: installation, first run, API usage, hardware setup, training |
 | [Build Guide](docs/build-guide.md) | Building from source (Rust and Python) |
-| [**Home Assistant + Matter Integration**](docs/integrations/home-assistant.md) | **Works with Home Assistant** via MQTT auto-discovery + **Works with Matter** (Apple Home / Google Home / Alexa / SmartThings) — full entity catalog, 3 starter blueprints, Lovelace dashboards, privacy mode, threshold tuning ([ADR-115](docs/adr/ADR-115-home-assistant-integration.md)). |
-| [**BFLD — Beamforming Feedback Layer for Detection**](v2/crates/wifi-densepose-bfld/README.md) | New privacy-gated WiFi sensing layer that measures + structurally prevents identity leakage from 802.11ac/ax Beamforming Feedback Information. Three type-enforced invariants (raw BFI never exits node, identity embedding is in-RAM-only, cross-site correlation cryptographically impossible via per-site BLAKE3 keyed hash + daily rotation). Ships full operator surface (`BfldPipeline`, `BfldPipelineHandle`, the Soul Signature §3.6 per-channel matcher `EnrolledMatcher`/`SoulMatchOracle` — experimental; named identity is data-gated, **measured** as not-separable on WiFi-only channels alone), MQTT topic router + HA-DISCO + availability + LWT, 3 operator HA blueprints, two runnable examples, eclipse-mosquitto:2 CI service container. 327+ tests. [ADR-118](docs/adr/ADR-118-bfld-beamforming-feedback-layer-for-detection.md) umbrella + sub-ADRs [119](docs/adr/ADR-119-bfld-frame-format-and-wire-protocol.md)/[120](docs/adr/ADR-120-bfld-privacy-class-and-hash-rotation.md)/[121](docs/adr/ADR-121-bfld-identity-risk-scoring.md)/[122](docs/adr/ADR-122-bfld-ruview-ha-matter-exposure.md)/[123](docs/adr/ADR-123-bfld-capture-path-nexmon-and-esp32.md). Research dossier: [`docs/research/BFLD/`](docs/research/BFLD/) (11 files, 13,544 words). |
-| [**SENSE-BRIDGE — rvagent MCP server**](tools/ruview-mcp/README.md) | Dual-transport MCP server (`@ruvnet/rvagent`) bridging the RuView sensing stack to AI agents (Claude Code, Cursor, ruflo swarms). 6 tools wired: `ruview.presence.now`, `ruview.vitals.get_{breathing,heart_rate,all}`, `ruview.bfld.last_scan`, `ruview.bfld.subscribe`. stdio + Streamable HTTP (`POST /mcp`, Origin-validated, bearer-token auth, `127.0.0.1` bind). Full 20-tool Zod schema barrel + 5 RUVIEW-POLICY governance tools. 93 tests. [ADR-124](docs/adr/ADR-124-rvagent-mcp-ruvector-npm-integration.md). Try: `npx @ruvnet/rvagent stdio`. |
-| [Semantic Primitives — Precision/Recall](docs/integrations/semantic-primitives-metrics.md) | Per-primitive F1 on the held-out paired-capture set: someone-sleeping, possible-distress, room-active, elderly-inactivity-anomaly, meeting, bathroom, fall-risk, bed-exit, no-movement, multi-room. |
 | [Claude Code / Codex Plugin](plugins/ruview/README.md) | The `ruview` plugin + marketplace — skills, `/ruview-*` commands, agents, and the Codex prompt mirror |
 | [Architecture Decisions](docs/adr/README.md) | 96 ADRs — why each technical choice was made, organized by domain (hardware, signal processing, ML, platform, infrastructure) |
 | [Domain Models](docs/ddd/README.md) | 8 DDD models (RuvSense, Signal Processing, Training Pipeline, Hardware Platform, Sensing Server, WiFi-Mat, CHCI, rvCSI) — bounded contexts, aggregates, domain events, and ubiquitous language |
 | [rvCSI — edge RF sensing runtime](https://github.com/ruvnet/rvcsi) | Rust-first / TypeScript-accessible / hardware-abstracted CSI runtime: multi-source ingestion (incl. real nexmon_csi `.pcap` from a **Raspberry Pi 5** / Pi 4 / Pi 3B+ — CYW43455 / BCM43455c0) → validation → DSP → typed events → RuVector RF memory ([ADR-095](docs/adr/ADR-095-rvcsi-edge-rf-sensing-platform.md), [ADR-096](docs/adr/ADR-096-rvcsi-ffi-crate-layout.md), [domain model](docs/ddd/rvcsi-domain-model.md)). Now its own repo — [`ruvnet/rvcsi`](https://github.com/ruvnet/rvcsi) — vendored here under `vendor/rvcsi`; 9 `rvcsi-*` crates on crates.io, `@ruv/rvcsi` on npm, plus a Claude Code plugin. |
 | [Desktop App](v2/crates/wifi-densepose-desktop/README.md) | **WIP** — Tauri v2 desktop app for node management, OTA updates, WASM deployment, and mesh visualization |
-| `ruview-swarm` | Drone swarm control system (ADR-148) — hierarchical-mesh topology, Raft consensus, MARL, CSI sensing payload, MAVLink/PX4/ArduPilot compatibility, Ruflo AI-agent integration |
 | [Medical Examples](examples/medical/README.md) | Contactless blood pressure, heart rate, breathing rate via 60 GHz mmWave radar — $15 hardware, no wearable |
 | [Extended Documentation](docs/readme-details.md) | Latest additions, key features, installation, quick start, signal processing, training, CLI, testing, deployment, and changelog |
 
 ---
 
-## 🚧 Beta software
-
-> **Beta Software** — Under active development. APIs and firmware may change. Known limitations:
-> - ESP32-C3 and original ESP32 are not supported (single-core, insufficient for CSI DSP)
-> - Single ESP32 deployments have limited spatial resolution — use 2+ nodes or add a [Cognitum Seed](https://cognitum.one) for best results
-> - Camera-free pose accuracy is limited (PCK@20 ≈ 2.5% with proxy labels) — [camera ground-truth training](docs/adr/ADR-079-camera-ground-truth-training.md) targets **35%+ PCK@20**; the pipeline is implemented, but the data-collection and evaluation phases (ADR-079 P7–P9) are still pending.
->
-> Contributions and bug reports welcome at [Issues](https://github.com/ruvnet/RuView/issues).
-
 ## 📄 License
 
 MIT License — see [LICENSE](LICENSE) for details.

aether-arena/README.md

@@ -1,50 +0,0 @@
-# AetherArena ("AA") — The Official Spatial-Intelligence Benchmark
-
-> **Public leaderboard. Private evaluation split. Open scorer. Signed results.**
-
-AetherArena is a **standalone, project-agnostic benchmark** for camera-free **spatial intelligence** — pose, presence, occupancy, tracking, and vitals from RF/WiFi (and, over time, mmWave / UWB / radar / lidar / multimodal). It is **not** a single-vendor leaderboard: any team, framework, or sensing modality can enter, and every entrant — including the RuView baseline that donated the seed scorer — is scored by the identical, open, pinned harness.
-
-Specified in [ADR-149](../docs/adr/ADR-149-public-community-leaderboard-huggingface.md) (Accepted).
-
-Canonical home: **`ruvnet/aether-arena`** + a Hugging Face Space (deploy pending — see `STATUS`).
-
----
-
-## Why
-
-WiFi/RF spatial sensing has no shared yardstick — papers self-report against inconsistent splits and metrics, with **no accounting for latency, reproducibility, or privacy leakage**. AA fixes the *measurement*, not just the models: a single deterministic scorer, a private held-out split nobody can train on, and a signed result ledger that can't be silently edited.
-
-## What gets measured (v0)
-
-| Category | Metric | Status |
-|----------|--------|--------|
-| **Pose** | PCK@0.2 (all / torso), OKS | Ranked |
-| **Presence** | accuracy, FP/FN | Ranked |
-| **Edge latency** | p50 / p95 / p99 ms | Ranked |
-| **Determinism** | proof-hash pass/fail | Ranked (gate) |
-| Tracking (MOTA) | — | activates when multi-person clips land |
-| Vitals (BPM err) | — | activates when paired vitals ground truth lands |
-| **Privacy leakage** | membership-inference ∈ [0,1] | **gated — not ranked** until the attacker ships |
-| Cross-room | degradation ratio | coming soon |
-
-The headline rank is the **category metric**; an optional `arena_score = quality × latency_factor × privacy_factor × determinism_gate` is exposed alongside (never instead) so accuracy can't win at any cost. See ADR-149 §2.5.
-
-## How scoring works
-
-The scorer is RuView's **already-published** `wifi-densepose-train` acceptance harness (`ruview_metrics` + ADR-145 `ablation`), run in a pinned sandbox. **You submit a model, not predictions** — predictions on data you hold prove nothing. Your model is scored against a **private** MM-Fi held-out split (CC BY-NC 4.0; Wi-Pose excluded for redistribution reasons), and one **signed, append-only** row is written to the results ledger with a determinism proof hash.
-
-Submission lifecycle: `submitted → validated → quarantined → smoke_scored → full_scored → published` (or `rejected` with a reason). The model only ever runs inside a no-network, read-only-FS sandbox.
-
-## Submit (when the Space is live)
-
-1. Write a manifest: [`schema/aa-submission.toml`](schema/aa-submission.toml).
-2. Push your model artifact (`.safetensors` / `.rvf` / LoRA adapter) + manifest to the Space.
-3. Watch it move through the lifecycle; your signed row appears on the board.
-
-## Verify it's fair (you don't have to trust us)
-
-See [`VERIFY.md`](VERIFY.md) — run the **open scorer** locally on the **public smoke split**, reproduce the determinism hash, and confirm RuView's own entries were scored by the identical path. That five-step check is the launch gate (ADR-149 §7).
-
-## Neutrality
-
-AA is a neutral commons. The scorer is open and versioned; any metric change is a public `harness_version` bump that **re-scores all entries**. RuView donated the seed harness and enters as one baseline — it gets no special treatment (ADR-149 §2.8).

aether-arena/STATUS.md

@@ -1,30 +0,0 @@
-# AetherArena — Build Status
-
-Tracks ADR-149 implementation milestones. "Complete" = benchmark **infrastructure** done,
-tested, CI-gated, deploy-ready, RuView baseline entered, §7 acceptance test passing.
-Model **SOTA** (e.g. MM-Fi PCK@20 ~72%) is a separate long-running ML effort, blocked on
-ADR-079 camera-ground-truth collection — *not* an infra-completion blocker.
-
-| # | Milestone | Status |
-|---|-----------|--------|
-| M1 | ADR-149 Accepted + committed | ✅ done |
-| M2 | Scorer runner (`aa_score_runner`) — **real model scoring** + witness (proof+inputs hash) + **repeatability analysis** | ✅ done — builds `--no-default-features`, determinism gate PASS, repeatable 16/16 |
-| M3 | CI harness-gate workflow (PR runs scorer + repeatability + real-scoring smoke + ledger verify) | ✅ done — `.github/workflows/aether-arena-harness.yml` |
-| M4 | Scaffold: README + submission schema + VERIFY (acceptance test) | ✅ done |
-| M5 | Public smoke split (committed) + private MM-Fi held-out split prep | 🟡 smoke split done (`fixtures/smoke_*.json`); private MM-Fi prep pending |
-| M6 | HF Space (Gradio) — leaderboard + ledger integrity + submit/verify/about | ✅ deployed → https://huggingface.co/spaces/ruvnet/aether-arena (sandboxed scorer container = later hardening) |
-| M7 | **Witness ledger chain** — append-only, hash-chained, tamper-evident | ✅ done — `ledger/ledger_tools.py` (seed/append/verify); tamper test fails as designed |
-| M8 | Public launch | ✅ Space **LIVE** (gradio 5.9.1, serving 200) — **board empty, awaiting first real harness score** (benchmark-first: no seeded numbers) |
-
-## v0 infrastructure: COMPLETE
-Implement ✅ · Test ✅ · Deploy to HF ✅ (https://huggingface.co/spaces/ruvnet/aether-arena) · Instructions+Verification ✅ · PR runs the harness ✅ (PR #874, AA harness gate **passed**).
-Remaining = data + hardening, not infra: private MM-Fi held-out split (M5), sandboxed scorer container (M6), privacy-leakage attacker (gated category), and **model SOTA** (separate ML effort, blocked on ADR-079 — explicitly not an infra exit).
-
-## Benchmark-first posture (per user direction)
-- **No placeholder numbers on the board.** The ledger seeds to genesis only; every result is a real scoring-pipeline witness. RuView gets no seeded baseline.
-- **Witness chain** = `inputs_sha256` (binds witness to exact inputs) + `proof_sha256` (cross-platform-stable score hash) + the append-only hash-chained ledger. Repeatability analysis (`--repeat N`) proves the proof hash is identical across runs.
-
-## Blockers / decisions needed
-- **HF deploy (M6)** — token is in GCP Secret Manager (`HUGGINGFACE_API_KEY`); creating the public `ruvnet/aether-arena` Space still wants explicit go.
-- **MM-Fi is CC BY-NC** → AA must stay non-commercial / legally distinct from the commercial RuView product.
-- **Private MM-Fi split (M5)** — needs the dataset pulled + a held-out split assembled before real public scoring replaces the smoke fixture.

aether-arena/VERIFY.md

@@ -1,78 +0,0 @@
-# Verifying AetherArena (you don't have to trust us)
-
-AA's credibility rests on a stranger being able to reproduce a score and see that the rules are fair. This is the **launch gate** (ADR-149 §7): v0 does not ship until all five checks below pass for someone with no insider access.
-
-> **Wider context:** this page covers the *leaderboard scorer*. For the whole-platform answer to
-> "is this real / does it actually work?" — including the deterministic pipeline proof, the
-> published models + public-benchmark numbers, and the built-in-public development trail — see
-> [`docs/proof-of-capabilities.md`](../docs/proof-of-capabilities.md).
-
-## The open scorer
-
-The scoring engine is a pure-Rust, GPU-free binary: `aa_score_runner` in `wifi-densepose-train`. It runs the real `ruview_metrics` pose-acceptance harness on a fixed fixture and emits a cross-platform-stable SHA-256 **determinism proof**.
-
-### Reproduce the determinism hash locally
-
-```bash
-cd v2
-# Verify the committed expected hash still matches (this is the CI gate):
-cargo run -q -p wifi-densepose-train --bin aa_score_runner --no-default-features
-# → prints the witness (inputs_sha256 + proof_sha256) and "VERDICT: PASS"
-
-# See the witness row as JSON:
-cargo run -q -p wifi-densepose-train --bin aa_score_runner --no-default-features -- --json
-```
-
-### Witness chain — proof + repeatability analysis
-
-Every score is a **witness**: `inputs_sha256` (binds it to the exact inputs scored)
-+ `proof_sha256` (cross-platform-stable hash of the quantised score) + `harness_version`.
-Witnesses are recorded in an **append-only, hash-chained ledger** (each row references
-the previous row's hash), so a silent edit to any past row breaks the chain.
-
-```bash
-# Repeatability: run the scorer K times, confirm ONE identical proof hash:
-cd v2
-cargo run -q -p wifi-densepose-train --bin aa_score_runner --no-default-features -- --repeat 16
-# → {"repeatability":{"runs":16,"unique_proof_hashes":1,"repeatable":true,...}}
-
-# Real model scoring (score predictions against an eval split):
-cargo run -q -p wifi-densepose-train --bin aa_score_runner --no-default-features -- \
-  --split ../aether-arena/fixtures/smoke_split.json \
-  --pred  ../aether-arena/fixtures/smoke_pred.json --json
-
-# Verify the witness ledger chain is intact (tamper-evident):
-cd ../aether-arena/ledger && python3 ledger_tools.py verify
-# → "OK: N rows, chain intact"   (edit any row and it reports the broken link)
-```
-
-The expected hash is committed at [`fixtures/expected_score.sha256`](fixtures/expected_score.sha256). Same harness version + same fixture → same hash on glibc / MSVC / Apple. If your local run prints `VERDICT: PASS`, you have reproduced the scorer.
-
-### What happens if the scoring maths changes
-
-Any edit to `ruview_metrics.rs`, `ablation.rs`, or `aa_score_runner.rs` moves the hash and **fails the CI gate** (`.github/workflows/aether-arena-harness.yml`) until the maintainer regenerates and reviews:
-
-```bash
-cargo run -p wifi-densepose-train --bin aa_score_runner --no-default-features -- --generate-hash \
-  > aether-arena/fixtures/expected_score.sha256
-```
-
-So a scorer change is always a reviewed, public diff — never silent. That's `harness_version` pinning + `determinism_gate` in action (ADR-149 §2.4–§2.5).
-
-## The five-step acceptance test (v0 launch gate)
-
-A stranger must be able to:
-
-1. **Submit** a model (artifact + `schema/aa-submission.toml`) with no insider help.
-2. **Get a deterministic score** — same model + same `harness_version` → same numbers.
-3. **See the signed row** appended to the public results ledger.
-4. **Rerun the scorer locally** on the public smoke split and reproduce the logic (the command above).
-5. **Understand why the rank is fair** — private split, open scorer, pinned version, proof hash — from these docs alone.
-
-If any step fails, v0 is not ready.
-
-## Current status
-
-- ✅ Step 4 (rerun the open scorer locally, reproduce the hash) — **works today** via `aa_score_runner`.
-- ✅ CI harness gate runs the scorer on every PR.
-- ⏳ Steps 1–3, 5 (HF Space submission flow + signed ledger) — in progress; require the HF Space deploy (needs an HF token / maintainer authorization).

aether-arena/calibration/README.md

@@ -1,87 +0,0 @@
-# RuView Calibration Service (reference implementation)
-
-Turn a **shared WiFi-CSI pose base model** into a room-specific one with a **30-second labeled
-calibration** and a **~11 KB per-room LoRA adapter**. This is the deployable resolution of the
-cross-subject / cross-environment generalization problem (full study: [ADR-150 §3.3–3.6](../../docs/adr/ADR-150-rf-foundation-encoder.md)).
-
-## Why
-
-Zero-shot WiFi pose generalizes poorly to a **new room or new person** — an unseen room can drop a
-strong model to near-random. But that gap is **not** algorithmically closeable (CORAL, DANN,
-instance-norm, contrastive foundation-pretraining all failed) and **not** closeable by collecting
-more subjects (saturates ~64%). It **is** closeable, cheaply, at deployment time: a handful of
-labeled frames from the actual room pin down its multipath instantly.
-
-| Deployment case | Zero-shot | + in-room calibration |
-|-----------------|----------:|----------------------:|
-| Same room, new person (cross-subject) | 64% | **76%** (200 samples) |
-| **New room + new person (cross-environment)** | **~10%** | **60% @ 5 samples → 73% @ 200** |
-
-**Verified demo (this code, source-only base on an unseen MM-Fi room E04):**
-`zero-shot 3.09% → after 200-sample calibration 74.29%` (+71 pts).
-
-## How it works
-
-A frozen shared **base** (transformer + temporal attention pool + skeleton-graph head, the published
-[`ruvnet/wifi-densepose-mmfi-pose`](https://huggingface.co/ruvnet/wifi-densepose-mmfi-pose)) plus a
-tiny **LoRA adapter** (rank 8 on the input projection + pose head — **11,200 params ≈ 11 KB int8 /
-22 KB fp16**) fitted per room. Thousands of room-adapters hang off one base.
-
-## Usage
-
-```bash
-# 1) Capture a short labeled clip in the deployment room -> calib.npz {X:[N,3,114,10], Y:[N,17,2]}
-#    (~100–200 samples recommended; below ~20 the adapter can underperform zero-shot)
-
-# 2) Fit the per-room adapter (~11 KB):
-python calibrate.py --base pose_mmfi_best.pt --data calib.npz --out room.adapter.npz
-
-# 3) Run calibrated inference (base + room adapter):
-python infer.py --base pose_mmfi_best.pt --adapter room.adapter.npz --data frames.npz --out kp.npy
-#    omit --adapter to run the uncalibrated (zero-shot) base
-```
-
-`X` is CSI amplitude `[N, 3 antennas, 114 subcarriers, 10 frames]` (per-sample standardization is
-applied internally). `Y` is `[N,17,2]` COCO keypoints in `[0,1]`.
-
-## Calibration budget (measured, rank-8 LoRA, 3 seeds — ADR-150 §3.5)
-
-| Labeled samples/room | cross-subject | cross-environment |
-|---------------------:|--------------:|------------------:|
-| 0 (zero-shot) | 64% | ~10% |
-| 5 | — | 60% |
-| 20 | 66% | 66% |
-| 50 | 70% | 70% |
-| 200 | 72% | 73% |
-
-Knee at ~50 samples (~70%); **below ~20 samples the adapter can hurt** (too few to fit reliably).
-
-## Two models, two producers (not interchangeable)
-
-Adapters are **model-specific**. There are two calibration producers here:
-
-| Producer | Target model | Input | Adapter format | Consumer |
-|----------|--------------|-------|----------------|----------|
-| `calibrate.py` | MM-Fi **transformer** (`pose_mmfi_best.pt`, 3×114×10) | `[N,3,114,10]` | `.npz` (`proj`/`head` LoRA) | this Python `infer.py` |
-| `cog_calibrate.py` | cog **conv+MLP** (`pose_v1.safetensors`, 56×20) | `[N,56,20]` | `.safetensors` (`fc1.a`/`fc1.b`/`fc2.a`/`fc2.b`) | Rust `cog-pose-estimation run --adapter` |
-
-```bash
-# Produce a cog-format per-room adapter for the deployed Rust pose engine:
-python cog_calibrate.py --base pose_v1.safetensors --data calib.npz --out room.safetensors
-# then in the cog runtime:
-cog-pose-estimation run --config <cfg> --adapter room.safetensors
-```
-
-Same LoRA *mechanism* (ADR-150 §3.5), different architecture and key layout — an adapter from one
-producer will not load into the other model.
-
-## Notes
-
-- **Calibration only helps when the base hasn't already seen the room.** The published flagship was
-  trained on MM-Fi `random_split`, so calibrating it on an MM-Fi subject is a near-no-op (it already
-  saw them); for a genuinely new real-world room it is zero-shot and calibration applies. To
-  *reproduce the demo* on a held-out MM-Fi room, train a source-only base (exclude the target
-  environment) — see `ADR-150 §3.6` and the few-shot harness in `aether-arena/staging/`.
-- Adapter is saved fp16 (~22 KB); quantize to int8 for the ~11 KB on-device form.
-- Inference is real-time on CPU (the 75 K-param `micro` variant runs in 0.135 ms single-thread x86;
-  see [`docs/benchmarks/wifi-pose-efficiency-frontier.md`](../../docs/benchmarks/wifi-pose-efficiency-frontier.md)).

aether-arena/calibration/calibrate.py

@@ -1,71 +0,0 @@
-"""RuView per-room calibration — fit a ~11 KB LoRA adapter from a short labeled in-room capture.
-
-    python calibrate.py --base pose_mmfi_best.pt --data room_calib.npz --out room_A.adapter.npz
-
-`room_calib.npz` must contain `X` [N,3,114,10] CSI amplitude and `Y` [N,17,2] (or [N,34]) keypoints
-in [0,1] — the labeled calibration samples from the deployment room (~100–200 recommended; ≥20).
-Outputs a tiny adapter (.npz, ~11 KB) that, loaded over the shared base at inference, recovers
-SOTA-level pose for that room/person (ADR-150 §3.5–3.6).
-"""
-import argparse
-import numpy as np
-import torch
-import torch.nn as nn
-
-from model import PoseNet, standardize
-
-
-def main():
-    ap = argparse.ArgumentParser()
-    ap.add_argument("--base", required=True, help="base checkpoint (pose_mmfi_best.pt)")
-    ap.add_argument("--data", required=True, help="labeled calibration .npz with X and Y")
-    ap.add_argument("--out", required=True, help="output adapter .npz")
-    ap.add_argument("--rank", type=int, default=8)
-    ap.add_argument("--iters", type=int, default=600)
-    ap.add_argument("--lr", type=float, default=8e-4)
-    ap.add_argument("--device", default="cuda" if torch.cuda.is_available() else "cpu")
-    a = ap.parse_args()
-
-    z = np.load(a.data)
-    X = torch.tensor(z["X"].astype(np.float32))
-    Y = torch.tensor(z["Y"].reshape(len(z["Y"]), 34).astype(np.float32))
-    n = len(X)
-    if n < 20:
-        print(f"WARNING: only {n} calibration samples — below ~20 the adapter may underperform "
-              f"zero-shot (ADR-150 §3.5). Recommend ~100–200.")
-    dev = a.device
-
-    net = PoseNet().to(dev)
-    net.load_state_dict(torch.load(a.base, map_location=dev), strict=False)
-    net.add_lora(r=a.rank).to(dev)
-    for k, p in net.named_parameters():
-        p.requires_grad = k.endswith(".A") or k.endswith(".B")
-    trainable = [p for p in net.parameters() if p.requires_grad]
-    n_tr = sum(p.numel() for p in trainable)
-
-    Xs = standardize(X.to(dev))
-    Yt = Y.to(dev)
-    opt = torch.optim.AdamW(trainable, lr=a.lr, weight_decay=0.0)
-    lossf = nn.SmoothL1Loss(beta=0.1)
-    bs = min(128, n)
-    net.train()
-    for it in range(a.iters):
-        bi = torch.randint(0, n, (bs,), device=dev)
-        xb = Xs[bi]
-        # light augmentation (subcarrier dropout + noise) — matches training-time regularization
-        m = (torch.rand(xb.shape[0], xb.shape[1], 1, 1, device=dev) > 0.15).float()
-        xb = xb * m + 0.03 * torch.randn_like(xb) * torch.rand(xb.shape[0], 1, 1, 1, device=dev)
-        opt.zero_grad()
-        lossf(net(xb), Yt[bi]).backward()
-        opt.step()
-
-    adapter = net.lora_state()
-    nbytes = sum(v.astype(np.float16).nbytes for v in adapter.values())
-    np.savez(a.out, **{k: v.astype(np.float16) for k, v in adapter.items()},
-             _meta=np.array([a.rank, n, n_tr], dtype=np.int64))
-    print(f"saved {a.out} | rank {a.rank} | {n_tr:,} params | ~{nbytes/1024:.1f} KB fp16 | "
-          f"from {n} labeled samples")
-
-
-if __name__ == "__main__":
-    main()

aether-arena/calibration/cog_calibrate.py

@@ -1,120 +0,0 @@
-"""Per-room calibration producer for the cog-pose-estimation **conv+MLP** model
-(`pose_v1.safetensors`, 56 subcarriers x 20 frames). Companion to `calibrate.py`
-(which targets the MM-Fi *transformer* model) — different model, different adapter
-key layout, NOT interchangeable (ADR-150 §3.5).
-
-Fits a rank-r LoRA on the pose head (fc1, fc2) from a short labeled in-room capture and
-writes a **safetensors** adapter with keys `fc1.a`/`fc1.b`/`fc2.a`/`fc2.b` (scale baked
-into `b`) — exactly what `cog-pose-estimation run --adapter <file>` consumes.
-
-    python cog_calibrate.py --base pose_v1.safetensors --data calib.npz --out room.safetensors
-
-`calib.npz`: `X` [N,56,20] CSI window + `Y` [N,17,2] (or [N,34]) keypoints in [0,1].
-"""
-import argparse
-import numpy as np
-import torch
-import torch.nn as nn
-import torch.nn.functional as F
-
-
-class CogPose(nn.Module):
-    """Mirrors cog-pose-estimation's PoseNet (Candle) exactly — same safetensors keys."""
-
-    def __init__(self):
-        super().__init__()
-        self.enc = nn.ModuleDict({
-            "c1": nn.Conv1d(56, 64, 3, padding=1, dilation=1),
-            "c2": nn.Conv1d(64, 128, 3, padding=2, dilation=2),
-            "c3": nn.Conv1d(128, 128, 3, padding=4, dilation=4),
-        })
-        self.head = nn.ModuleDict({"fc1": nn.Linear(128, 256), "fc2": nn.Linear(256, 34)})
-        self.fc1_lora = None
-        self.fc2_lora = None
-
-    def _lora(self, slot, x, y):
-        if slot is None:
-            return y
-        a, b = slot
-        return y + (x @ a) @ b
-
-    def forward(self, x):                       # x: [B, 56, 20]
-        h = F.relu(self.enc["c1"](x))
-        h = F.relu(self.enc["c2"](h))
-        h = F.relu(self.enc["c3"](h))
-        h = h.mean(2)                            # [B, 128]
-        z1 = self.head["fc1"](h)
-        z1 = self._lora(self.fc1_lora, h, z1)
-        h1 = F.relu(z1)
-        z2 = self.head["fc2"](h1)
-        z2 = self._lora(self.fc2_lora, h1, z2)
-        return torch.sigmoid(z2)                 # [B, 34]
-
-    def add_lora(self, r=4):
-        self.fc1_lora = (nn.Parameter(torch.randn(128, r) * 0.02), nn.Parameter(torch.zeros(r, 256)))
-        self.fc2_lora = (nn.Parameter(torch.randn(256, r) * 0.02), nn.Parameter(torch.zeros(r, 34)))
-        for p in (*self.fc1_lora, *self.fc2_lora):
-            self.register_parameter(f"lora_{id(p)}", p)
-        return self
-
-
-def load_base(net: CogPose, path: str):
-    from safetensors.torch import load_file
-    sd = load_file(path)
-    # remap "enc.c1.weight" -> module dict keys
-    mapped = {}
-    for k, v in sd.items():
-        mapped[k.replace("enc.", "enc.").replace("head.", "head.")] = v
-    net.load_state_dict(mapped, strict=False)
-    return net
-
-
-def fit(base: str, data: str, out: str, rank: int = 4, iters: int = 400, lr: float = 1e-3):
-    z = np.load(data)
-    X = torch.tensor(z["X"].astype(np.float32))          # [N,56,20]
-    Y = torch.tensor(z["Y"].reshape(len(z["Y"]), 34).astype(np.float32))
-    n = len(X)
-    net = CogPose()
-    load_base(net, base)
-    net.add_lora(rank)
-    for p in net.parameters():
-        p.requires_grad = False
-    lora = [*net.fc1_lora, *net.fc2_lora]
-    for p in lora:
-        p.requires_grad = True
-    opt = torch.optim.AdamW(lora, lr=lr, weight_decay=0.0)
-    lossf = nn.SmoothL1Loss(beta=0.1)
-    bs = min(64, n)
-    net.train()
-    for _ in range(iters):
-        bi = torch.randint(0, n, (bs,))
-        opt.zero_grad()
-        lossf(net(X[bi]), Y[bi]).backward()
-        opt.step()
-
-    alpha = 16.0
-    scale = alpha / rank
-    a1, b1 = net.fc1_lora
-    a2, b2 = net.fc2_lora
-    tensors = {
-        "fc1.a": a1.detach().contiguous(),
-        "fc1.b": (b1.detach() * scale).contiguous(),    # bake scale into b
-        "fc2.a": a2.detach().contiguous(),
-        "fc2.b": (b2.detach() * scale).contiguous(),
-    }
-    from safetensors.torch import save_file
-    save_file(tensors, out)
-    return out, sum(p.numel() for p in lora), n
-
-
-if __name__ == "__main__":
-    ap = argparse.ArgumentParser()
-    ap.add_argument("--base", required=True)
-    ap.add_argument("--data", required=True)
-    ap.add_argument("--out", required=True)
-    ap.add_argument("--rank", type=int, default=4)
-    ap.add_argument("--iters", type=int, default=400)
-    a = ap.parse_args()
-    out, np_, n = fit(a.base, a.data, a.out, a.rank, a.iters)
-    print(f"saved {out} | {np_} LoRA params from {n} samples "
-          f"(keys fc1.a/fc1.b/fc2.a/fc2.b — load with cog-pose-estimation run --adapter)")

aether-arena/calibration/infer.py

@@ -1,49 +0,0 @@
-"""Run calibrated WiFi-CSI pose inference: shared base + a per-room LoRA adapter.
-
-    python infer.py --base pose_mmfi_best.pt --adapter room_A.adapter.npz --data frames.npz
-
-`frames.npz` contains `X` [N,3,114,10] CSI amplitude. Prints/saves [N,17,2] keypoints in [0,1].
-Omit --adapter to run the uncalibrated (zero-shot) base. With a room adapter, expect SOTA-level
-accuracy in that room/person; without one, zero-shot degrades in unseen rooms (ADR-150 §3.6).
-"""
-import argparse
-import numpy as np
-import torch
-
-from model import PoseNet, standardize
-
-
-def main():
-    ap = argparse.ArgumentParser()
-    ap.add_argument("--base", required=True)
-    ap.add_argument("--adapter", default=None, help="per-room .adapter.npz (omit for zero-shot)")
-    ap.add_argument("--data", required=True, help=".npz with X [N,3,114,10]")
-    ap.add_argument("--out", default=None, help="optional .npy to save [N,17,2] keypoints")
-    ap.add_argument("--rank", type=int, default=8)
-    ap.add_argument("--device", default="cuda" if torch.cuda.is_available() else "cpu")
-    a = ap.parse_args()
-    dev = a.device
-
-    net = PoseNet().to(dev)
-    net.load_state_dict(torch.load(a.base, map_location=dev), strict=False)
-    if a.adapter:
-        net.add_lora(r=a.rank).to(dev)
-        z = np.load(a.adapter)
-        net.load_lora({k: z[k].astype(np.float32) for k in z.files if k.endswith(".A") or k.endswith(".B")})
-    net.eval()
-
-    X = torch.tensor(np.load(a.data)["X"].astype(np.float32)).to(dev)
-    Xs = standardize(X)
-    out = []
-    with torch.no_grad():
-        for i in range(0, len(Xs), 4096):
-            out.append(net(Xs[i:i + 4096]).cpu().numpy())
-    kp = np.concatenate(out).reshape(-1, 17, 2)
-    print(f"inferred {len(kp)} frames | adapter={'yes' if a.adapter else 'NONE (zero-shot)'}")
-    if a.out:
-        np.save(a.out, kp)
-        print(f"saved keypoints -> {a.out}")
-
-
-if __name__ == "__main__":
-    main()

aether-arena/calibration/model.py

@@ -1,107 +0,0 @@
-"""WiFi-CSI pose model + LoRA adapter for the RuView calibration service.
-
-Architecture matches the published flagship checkpoint
-[`ruvnet/wifi-densepose-mmfi-pose`](https://huggingface.co/ruvnet/wifi-densepose-mmfi-pose)
-(`pose_mmfi_best.pt`): transformer encoder + temporal attention pooling + skeleton-graph head.
-
-The calibration service freezes this base and fits a tiny per-room **LoRA adapter** (rank 8 on the
-input projection + pose head ≈ 11 KB) from ~100–200 labeled in-room samples. Empirically that lifts
-cross-subject 64→72% and cross-environment 11→73% (ADR-150 §3.3–3.6).
-"""
-import numpy as np
-import torch
-import torch.nn as nn
-
-# COCO-17 skeleton edges for the graph-refinement head.
-EDGES = [(0, 1), (0, 2), (1, 3), (2, 4), (5, 6), (5, 7), (7, 9), (6, 8), (8, 10),
-         (5, 11), (6, 12), (11, 12), (11, 13), (13, 15), (12, 14), (14, 16)]
-_A = np.eye(17, dtype=np.float32)
-for _i, _j in EDGES:
-    _A[_i, _j] = _A[_j, _i] = 1.0
-_A = _A / _A.sum(1, keepdims=True)
-
-
-class LoRA(nn.Module):
-    """Low-rank adapter wrapping a frozen Linear: y = W·x + (x·A·B)·(alpha/r)."""
-
-    def __init__(self, base: nn.Linear, r: int = 8, alpha: int = 16):
-        super().__init__()
-        self.base = base
-        for p in self.base.parameters():
-            p.requires_grad = False
-        self.A = nn.Parameter(torch.zeros(base.in_features, r))
-        self.B = nn.Parameter(torch.zeros(r, base.out_features))
-        nn.init.normal_(self.A, std=0.02)
-        self.scale = alpha / r
-
-    def forward(self, x):
-        return self.base(x) + (x @ self.A @ self.B) * self.scale
-
-
-class GR(nn.Module):
-    """Skeleton-graph refinement: nudges joints toward anatomically consistent positions."""
-
-    def __init__(self, d=256, h=96):
-        super().__init__()
-        self.je = nn.Parameter(torch.randn(17, 32) * 0.02)
-        self.inp = nn.Linear(d + 34, h)
-        self.g1 = nn.Linear(h, h)
-        self.g2 = nn.Linear(h, h)
-        self.out = nn.Linear(h, 2)
-        self.register_buffer("A", torch.tensor(_A))
-
-    def forward(self, z, kp0):
-        B = z.shape[0]
-        f = torch.relu(self.inp(torch.cat(
-            [z.unsqueeze(1).expand(-1, 17, -1), self.je.unsqueeze(0).expand(B, -1, -1), kp0], -1)))
-        f = torch.relu(self.g1(torch.einsum('ij,bjh->bih', self.A, f)))
-        f = torch.relu(self.g2(torch.einsum('ij,bjh->bih', self.A, f)))
-        return kp0 + 0.3 * torch.tanh(self.out(f))
-
-
-class PoseNet(nn.Module):
-    """Flagship pose model. Input [B,3,114,10] CSI amplitude (per-sample standardized) -> [B,34]."""
-
-    def __init__(self, na=3, nsc=114, nt=10, d=256, L=4, H=8):
-        super().__init__()
-        self.proj = nn.Linear(na * nsc, d)
-        self.pos = nn.Parameter(torch.randn(1, nt, d) * 0.02)
-        enc = nn.TransformerEncoderLayer(d, H, d * 2, dropout=0.2, batch_first=True, activation='gelu')
-        self.tf = nn.TransformerEncoder(enc, L)
-        self.att = nn.Linear(d, 1)
-        self.head = nn.Sequential(nn.Linear(d, 256), nn.GELU(), nn.Dropout(0.3), nn.Linear(256, 34))
-        self.gr = GR(d)
-        self.na, self.nsc, self.nt = na, nsc, nt
-
-    def forward(self, x):
-        B = x.shape[0]
-        t = x.permute(0, 3, 1, 2).reshape(B, self.nt, self.na * self.nsc)
-        h = self.tf(self.proj(t) + self.pos)
-        w = torch.softmax(self.att(h), 1)
-        z = (h * w).sum(1)
-        kp0 = torch.sigmoid(self.head(z)).reshape(B, 17, 2)
-        return self.gr(z, kp0).reshape(B, 34)
-
-    def add_lora(self, r=8, alpha=16):
-        """Wrap the input projection + pose head with LoRA adapters (the ~11 KB calibration set)."""
-        self.proj = LoRA(self.proj, r, alpha)
-        self.head[0] = LoRA(self.head[0], r, alpha)
-        self.head[3] = LoRA(self.head[3], r, alpha)
-        return self
-
-    def lora_state(self) -> dict:
-        """Extract just the LoRA A/B tensors (the per-room adapter to save)."""
-        return {k: v.detach().cpu().numpy() for k, v in self.state_dict().items()
-                if k.endswith(".A") or k.endswith(".B")}
-
-    def load_lora(self, adapter: dict):
-        sd = self.state_dict()
-        for k, v in adapter.items():
-            sd[k] = torch.tensor(v)
-        self.load_state_dict(sd)
-        return self
-
-
-def standardize(x: torch.Tensor) -> torch.Tensor:
-    """Per-sample standardization used in training/inference."""
-    return (x - x.mean((1, 2, 3), keepdim=True)) / (x.std((1, 2, 3), keepdim=True) + 1e-6)

aether-arena/calibration/test_calibration.py

@@ -1,103 +0,0 @@
-"""Self-contained regression test for the RuView calibration service.
-
-Exercises the committed CLI end-to-end on synthetic data (CPU, no GPU, no real checkpoint):
-  build a base -> calibrate.py fits an adapter -> infer.py runs base+adapter -> assert the
-  adapter is small, inference is shape-correct and finite, and the adapter actually changes output.
-
-Run:  python test_calibration.py    (or via pytest)
-"""
-import json
-import subprocess
-import sys
-import tempfile
-from pathlib import Path
-
-import numpy as np
-import torch
-
-HERE = Path(__file__).parent
-sys.path.insert(0, str(HERE))
-from model import PoseNet, standardize  # noqa: E402
-
-
-def _make_base(path: Path):
-    torch.manual_seed(0)
-    net = PoseNet()
-    # Save without the deterministic gr.A buffer (mirrors the published checkpoint;
-    # calibrate.py/infer.py load with strict=False).
-    sd = {k: v for k, v in net.state_dict().items() if k != "gr.A"}
-    torch.save(sd, path)
-
-
-def _make_data(path: Path, n: int, seed: int):
-    rng = np.random.default_rng(seed)
-    X = rng.standard_normal((n, 3, 114, 10)).astype(np.float32)
-    Y = rng.random((n, 17, 2)).astype(np.float32)  # keypoints in [0,1]
-    np.savez(path, X=X, Y=Y)
-
-
-def _run(*args):
-    r = subprocess.run(
-        [sys.executable, str(HERE / args[0]), *map(str, args[1:])],
-        capture_output=True, text=True,
-    )
-    assert r.returncode == 0, f"{args[0]} failed:\n{r.stdout}\n{r.stderr}"
-    return r.stdout
-
-
-def test_calibration_end_to_end():
-    with tempfile.TemporaryDirectory() as d:
-        d = Path(d)
-        base = d / "base.pt"
-        calib = d / "calib.npz"
-        frames = d / "frames.npz"
-        adapter = d / "room.adapter.npz"
-        kp = d / "kp.npy"
-
-        _make_base(base)
-        _make_data(calib, n=40, seed=1)     # ≥20 → no underfit warning
-        _make_data(frames, n=16, seed=2)
-
-        # 1) calibrate -> adapter
-        out = _run("calibrate.py", "--base", base, "--data", calib, "--out", adapter,
-                   "--iters", "50", "--device", "cpu")
-        assert adapter.exists(), "adapter not written"
-        assert "saved" in out.lower()
-        sz = adapter.stat().st_size
-        assert sz < 200_000, f"adapter unexpectedly large ({sz} bytes)"
-
-        # adapter contains the expected LoRA tensors (materialize + close so the
-        # Windows tempdir can be cleaned up — np.load keeps a lazy file handle).
-        with np.load(adapter) as z:
-            keys = [k for k in z.files if k.endswith(".A") or k.endswith(".B")]
-            assert keys, f"adapter has no LoRA tensors: {z.files}"
-            lora = {k: z[k].astype(np.float32) for k in keys}
-
-        # 2) infer with adapter -> keypoints
-        _run("infer.py", "--base", base, "--adapter", adapter, "--data", frames,
-             "--out", kp, "--device", "cpu")
-        out_kp = np.load(kp)
-        assert out_kp.shape == (16, 17, 2), f"bad keypoint shape {out_kp.shape}"
-        assert np.isfinite(out_kp).all(), "non-finite keypoints"
-        assert (out_kp >= 0).all() and (out_kp <= 1).all(), "keypoints out of [0,1]"
-
-        # 3) adapter must actually change the output vs the zero-shot base
-        with np.load(frames) as fz:
-            frames_x = fz["X"][:]
-        net = PoseNet()
-        net.load_state_dict(torch.load(base, map_location="cpu"), strict=False)
-        net.eval()
-        x = standardize(torch.tensor(frames_x))
-        with torch.no_grad():
-            base_kp = net(x).reshape(16, 17, 2).numpy()
-        net.add_lora()
-        net.load_lora(lora)
-        net.eval()
-        with torch.no_grad():
-            cal_kp = net(x).reshape(16, 17, 2).numpy()
-        assert np.abs(base_kp - cal_kp).sum() > 1e-4, "adapter did not change output"
-
-
-if __name__ == "__main__":
-    test_calibration_end_to_end()
-    print("PASS: calibration service end-to-end (calibrate -> adapter -> infer)")

aether-arena/calibration/test_cog_calibration.py

@@ -1,75 +0,0 @@
-"""Regression test for the cog-pose adapter producer (cog_calibrate.py).
-
-Uses the in-repo `pose_v1.safetensors` (skips if absent). Verifies the produced adapter:
-  - has the exact keys/shapes the Rust `cog-pose-estimation --adapter` loader expects,
-  - reduces calibration fit error,
-  - actually changes inference output,
-  - is tiny.
-Run: python test_cog_calibration.py   (or via pytest)
-"""
-import os
-import sys
-import tempfile
-from pathlib import Path
-
-import numpy as np
-import torch
-import torch.nn.functional as F
-
-HERE = Path(__file__).parent
-sys.path.insert(0, str(HERE))
-import cog_calibrate as C  # noqa: E402
-
-BASE = HERE / "../../v2/crates/cog-pose-estimation/cog/artifacts/pose_v1.safetensors"
-
-
-def test_cog_adapter_producer():
-    if not BASE.exists():
-        print(f"(skip — {BASE} not present)")
-        return
-    from safetensors.torch import load_file
-
-    rng = np.random.default_rng(0)
-    n = 120
-    X = rng.standard_normal((n, 56, 20)).astype("float32")
-    Y = (0.5 + 0.1 * X[:, :34, 0].reshape(n, 34)).clip(0, 1).astype("float32")
-
-    with tempfile.TemporaryDirectory() as d:
-        calib = os.path.join(d, "calib.npz")
-        adapter = os.path.join(d, "room.safetensors")
-        np.savez(calib, X=X, Y=Y)
-
-        net0 = C.CogPose()
-        C.load_base(net0, str(BASE))
-        net0.eval()
-        with torch.no_grad():
-            base_err = F.smooth_l1_loss(net0(torch.tensor(X)), torch.tensor(Y)).item()
-
-        _, nparam, _ = C.fit(str(BASE), calib, adapter, rank=4, iters=400)
-        t = load_file(adapter)
-
-        # exact Rust loader contract: a:[in,r], b:[r,out]
-        assert tuple(t["fc1.a"].shape) == (128, 4)
-        assert tuple(t["fc1.b"].shape) == (4, 256)
-        assert tuple(t["fc2.a"].shape) == (256, 4)
-        assert tuple(t["fc2.b"].shape) == (4, 34)
-
-        net = C.CogPose()
-        C.load_base(net, str(BASE))
-        net.add_lora(4)
-        with torch.no_grad():
-            net.fc1_lora[0].copy_(t["fc1.a"]); net.fc1_lora[1].copy_(t["fc1.b"] / (16 / 4))
-            net.fc2_lora[0].copy_(t["fc2.a"]); net.fc2_lora[1].copy_(t["fc2.b"] / (16 / 4))
-        net.eval()
-        with torch.no_grad():
-            cal_err = F.smooth_l1_loss(net(torch.tensor(X)), torch.tensor(Y)).item()
-            changed = (net0(torch.tensor(X[:8])) - net(torch.tensor(X[:8]))).abs().sum().item()
-
-        assert cal_err < base_err, f"calibration did not reduce error ({base_err} -> {cal_err})"
-        assert changed > 1e-3, "adapter inert"
-        assert nparam < 5000, f"adapter unexpectedly large ({nparam} params)"
-
-
-if __name__ == "__main__":
-    test_cog_adapter_producer()
-    print("PASS: cog adapter producer (Rust-loadable format, reduces error, active)")

aether-arena/fixtures/expected_score.sha256

@@ -1 +0,0 @@
-9c35e541d51f00998691b98948887ebca09b907d8eb29a113f97e792340456ba

aether-arena/fixtures/smoke_pred.json

@@ -1 +0,0 @@
-{"frames": [{"pred": [[0.4003, 0.2734], [0.5038, 0.4197], [0.2053, 0.4438], [0.4397, 0.685], [0.5796, 0.7645], [0.8001, 0.2195], [0.2789, 0.2833], [0.314, 0.5439], [0.511, 0.2259], [0.6008, 0.46], [0.4837, 0.3879], [0.3475, 0.5597], [0.6569, 0.3575], [0.437, 0.6539], [0.2341, 0.6038], [0.7331, 0.392], [0.5615, 0.4915]]}, {"pred": [[0.4669, 0.6066], [0.6012, 0.7873], [0.4124, 0.5997], [0.2832, 0.281], [0.2732, 0.3635], [0.2503, 0.4848], [0.6827, 0.715], [0.4336, 0.7165], [0.295, 0.3386], [0.5337, 0.3544], [0.4397, 0.5474], [0.5163, 0.5528], [0.7547, 0.6799], [0.4195, 0.4448], [0.2257, 0.2269], [0.384, 0.2176], [0.2419, 0.4332]]}, {"pred": [[0.5585, 0.283], [0.4325, 0.2934], [0.463, 0.4744], [0.4188, 0.3454], [0.215, 0.7565], [0.527, 0.2353], [0.7084, 0.6124], [0.3015, 0.6744], [0.4103, 0.3532], [0.7243, 0.6932], [0.3302, 0.4918], [0.2072, 0.3754], [0.7914, 0.4878], [0.7618, 0.4079], [0.323, 0.3386], [0.7104, 0.4997], [0.2673, 0.6077]]}, {"pred": [[0.6372, 0.4984], [0.4184, 0.6763], [0.4498, 0.7549], [0.2924, 0.303], [0.3069, 0.7022], [0.3954, 0.5098], [0.7836, 0.6071], [0.4733, 0.7114], [0.3407, 0.3793], [0.3408, 0.4678], [0.4156, 0.4911], [0.4525, 0.7519], [0.5117, 0.1985], [0.1893, 0.6784], [0.6281, 0.5346], [0.5175, 0.673], [0.36, 0.3665]]}, {"pred": [[0.5535, 0.6537], [0.568, 0.511], [0.4705, 0.5377], [0.6372, 0.7163], [0.5493, 0.7515], [0.2559, 0.4549], [0.2553, 0.6176], [0.2991, 0.6154], [0.7185, 0.7986], [0.4586, 0.5057], [0.2975, 0.4525], [0.3263, 0.3719], [0.5131, 0.4576], [0.557, 0.5268], [0.6572, 0.7736], [0.2146, 0.6526], [0.4662, 0.7371]]}, {"pred": [[0.2924, 0.7595], [0.2612, 0.2315], [0.2488, 0.7751], [0.2329, 0.7282], [0.4744, 0.4206], [0.3618, 0.267], [0.2477, 0.285], [0.3976, 0.3746], [0.494, 0.2874], [0.3596, 0.2112], [0.3311, 0.4692], [0.6912, 0.4727], [0.4434, 0.5233], [0.4139, 0.7048], [0.425, 0.3937], [0.2326, 0.631], [0.2655, 0.7116]]}, {"pred": [[0.3609, 0.3437], [0.285, 0.486], [0.7734, 0.5468], [0.3657, 0.4093], [0.4728, 0.5019], [0.1866, 0.3545], [0.2172, 0.2028], [0.5613, 0.5238], [0.6252, 0.7205], [0.7998, 0.2954], [0.242, 0.7063], [0.6259, 0.6883], [0.5148, 0.7141], [0.5577, 0.7434], [0.3233, 0.2131], [0.2652, 0.7066], [0.5753, 0.5885]]}, {"pred": [[0.6787, 0.6504], [0.6051, 0.2297], [0.2539, 0.3475], [0.6437, 0.7807], [0.4981, 0.6149], [0.5716, 0.2367], [0.6486, 0.3632], [0.2433, 0.369], [0.6061, 0.3731], [0.4955, 0.2591], [0.7676, 0.7602], [0.6899, 0.7716], [0.3143, 0.7707], [0.3031, 0.4997], [0.7076, 0.5133], [0.3382, 0.7196], [0.2002, 0.4871]]}]}

aether-arena/fixtures/smoke_split.json

@@ -1 +0,0 @@
-{"frames": [{"gt": [[0.3943, 0.2905], [0.5215, 0.4194], [0.2225, 0.4602], [0.4547, 0.6961], [0.5765, 0.7686], [0.7858, 0.2279], [0.2866, 0.2707], [0.3084, 0.549], [0.5286, 0.2377], [0.6082, 0.4566], [0.4719, 0.3799], [0.3465, 0.5447], [0.6377, 0.3728], [0.4509, 0.6543], [0.2235, 0.6009], [0.7253, 0.3882], [0.5479, 0.4737]], "vis": [1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0], "scale": 1.0}, {"gt": [[0.4845, 0.5985], [0.5883, 0.7959], [0.4315, 0.6012], [0.3008, 0.2703], [0.2776, 0.3486], [0.2483, 0.4695], [0.6916, 0.7184], [0.4153, 0.7305], [0.3057, 0.3392], [0.5535, 0.3576], [0.4216, 0.5398], [0.5093, 0.5706], [0.7397, 0.668], [0.4354, 0.4394], [0.2373, 0.2404], [0.404, 0.2315], [0.2609, 0.4182]], "vis": [1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0], "scale": 1.0}, {"gt": [[0.5684, 0.2891], [0.4185, 0.2737], [0.4796, 0.4903], [0.4056, 0.3589], [0.2139, 0.7706], [0.5259, 0.2162], [0.718, 0.6177], [0.3002, 0.6632], [0.3978, 0.3338], [0.7116, 0.6836], [0.336, 0.5106], [0.2168, 0.3677], [0.7739, 0.4683], [0.773, 0.4188], [0.318, 0.3226], [0.7043, 0.4877], [0.2509, 0.5964]], "vis": [1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0], "scale": 1.0}, {"gt": [[0.6501, 0.4868], [0.3995, 0.6805], [0.4408, 0.7681], [0.2762, 0.2907], [0.2877, 0.6959], [0.4102, 0.5292], [0.7825, 0.5898], [0.4603, 0.723], [0.3511, 0.3758], [0.3556, 0.4514], [0.4123, 0.4749], [0.4524, 0.7506], [0.5141, 0.2112], [0.2024, 0.6795], [0.6351, 0.5339], [0.5333, 0.6706], [0.3491, 0.3662]], "vis": [1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0], "scale": 1.0}, {"gt": [[0.537, 0.656], [0.5675, 0.5033], [0.4714, 0.52], [0.6195, 0.7259], [0.5357, 0.766], [0.273, 0.4653], [0.2439, 0.6017], [0.2927, 0.6297], [0.7297, 0.7805], [0.439, 0.4924], [0.2969, 0.4589], [0.3174, 0.3911], [0.5324, 0.4643], [0.5744, 0.5074], [0.673, 0.783], [0.2238, 0.6674], [0.4534, 0.7468]], "vis": [1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0], "scale": 1.0}, {"gt": [[0.2896, 0.7515], [0.2537, 0.2345], [0.2434, 0.763], [0.2502, 0.7137], [0.4723, 0.4035], [0.3607, 0.2775], [0.2657, 0.2969], [0.3872, 0.383], [0.5001, 0.3067], [0.3503, 0.2092], [0.3137, 0.4849], [0.6914, 0.4593], [0.4359, 0.504], [0.4056, 0.6994], [0.4428, 0.4085], [0.2424, 0.6445], [0.2507, 0.7048]], "vis": [1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0], "scale": 1.0}, {"gt": [[0.3692, 0.3453], [0.2945, 0.4675], [0.7836, 0.5282], [0.3857, 0.414], [0.4848, 0.5017], [0.203, 0.3585], [0.225, 0.2135], [0.5513, 0.5175], [0.6296, 0.7275], [0.7908, 0.2897], [0.2263, 0.7012], [0.6403, 0.6873], [0.5026, 0.701], [0.5504, 0.7357], [0.338, 0.2187], [0.2629, 0.7015], [0.5757, 0.6084]], "vis": [1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0], "scale": 1.0}, {"gt": [[0.6786, 0.649], [0.5956, 0.2396], [0.2447, 0.3593], [0.6439, 0.7854], [0.4874, 0.6102], [0.5857, 0.2465], [0.6459, 0.3827], [0.2364, 0.3613], [0.6054, 0.3745], [0.4798, 0.2711], [0.7869, 0.7618], [0.6919, 0.7809], [0.3259, 0.7674], [0.285, 0.5144], [0.6921, 0.5052], [0.3388, 0.7386], [0.2022, 0.495]], "vis": [1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0, 1.0], "scale": 1.0}]}

aether-arena/ledger/ledger.jsonl

@@ -1,5 +0,0 @@
-{"benchmark": "AetherArena", "created": "2026-05-30", "kind": "genesis", "note": "Official Spatial-Intelligence Benchmark \u2014 append-only signed ledger. Entries are real harness scores only; no seeded numbers.", "prev_hash": "0000000000000000000000000000000000000000000000000000000000000000", "row_hash": "940bdc6f0f5dd00f4d89e13a8fa843bab3c9ddf1b8051f426a1701e730249231", "seq": 0, "spec": "ADR-149"}
-{"abs_gain": "+9.38", "benchmark": "MM-Fi", "category": "pose", "caveat": "Protocol-matched MM-Fi random_split result; NOT solved real-world generalization. Random split has temporal/subject-adjacency effects common to this benchmark family. Leakage-free cross-subject is far lower (~11-27%) and is the real deployment frontier.", "harness_version": 1, "kind": "result", "metric": "torso-PCK@20 (||right_shoulder-left_hip|| norm, 17 COCO kpts)", "modality": "wifi-csi", "model_ref": "RuView CSI-Transformer (4L/8H ~2M params, temporal-attention)", "prev_hash": "940bdc6f0f5dd00f4d89e13a8fa843bab3c9ddf1b8051f426a1701e730249231", "protocol": "random_split (ratio=0.8, seed=0)", "rel_gain": "+13.0%", "reproduce": "download MM-Fi -> parse_mmfi_zips.py -> train_tf_torso.py X.npy Y.npy split_random.npy (seed 0)", "row_hash": "76598d8e1320d5248f8cd854a8ffa22a99bd2a2f0e0e7f2d2b1df79af16001d5", "score_pct": 81.63, "scored_at": "2026-05-30", "seq": 1, "sota_ref": "MultiFormer 72.25 (CSI2Pose 68.41)", "submitter": "ruvnet", "tier": "Gold"}
-{"abs_gain": "+11.34", "benchmark": "MM-Fi", "category": "pose", "harness_version": 1, "kind": "result", "metric": "torso-PCK@20", "modality": "wifi-csi", "model_ref": "RuView CSI-Transformer + skeleton-graph head + 3-ensemble + TTA", "note": "Best in-domain. Stacks attention-pooling + transformer + skeleton-graph refine + warmup + TTA + 3-model ensemble. Supersedes the 81.63 single-model entry.", "prev_hash": "76598d8e1320d5248f8cd854a8ffa22a99bd2a2f0e0e7f2d2b1df79af16001d5", "protocol": "random_split (0.8, seed 0)", "row_hash": "5780a4bc3e98eb0e30c1ecfa9091e57b280444fa1f21cd5146797e408580e4ab", "score_pct": 83.59, "scored_at": "2026-05-30", "seq": 2, "sota_ref": "MultiFormer 72.25 (CSI2Pose 68.41)", "submitter": "ruvnet", "tier": "Gold"}
-{"benchmark": "MM-Fi", "category": "pose", "harness_version": 1, "kind": "result", "metric": "torso-PCK@20", "modality": "wifi-csi", "model_ref": "RuView CSI-Transformer", "note": "Leakage-free generalization to unseen people, shared rooms. Honest deployment-relevant number.", "prev_hash": "5780a4bc3e98eb0e30c1ecfa9091e57b280444fa1f21cd5146797e408580e4ab", "protocol": "cross_subject (official, val=S05,S10,..,S40)", "row_hash": "d989e4e1dbc0182610305fdfbde8b094413b87c913283a46bf41f4afba7a06fd", "score_pct": 64.04, "scored_at": "2026-05-30", "seq": 3, "sota_ref": "(no matched public ref)", "submitter": "ruvnet", "tier": "Silver"}
-{"benchmark": "MM-Fi", "category": "pose", "harness_version": 1, "kind": "result", "metric": "torso-PCK@20", "modality": "wifi-csi", "model_ref": "RuView CSI-Transformer + CORAL domain alignment", "note": "The real deployment frontier (new room). CORAL transductive DG (+30% rel over control). Data-bound: MM-Fi has only 3 source rooms.", "prev_hash": "d989e4e1dbc0182610305fdfbde8b094413b87c913283a46bf41f4afba7a06fd", "protocol": "cross_environment (train E01-03 -> test E04, new room)", "row_hash": "bf370487bde88e198c13877956dab3c83766a6a24afef0b78b6ac7aa130bb207", "score_pct": 17.51, "scored_at": "2026-05-30", "seq": 4, "sota_ref": "(hard frontier; control 13.52)", "submitter": "ruvnet", "tier": "Bronze"}

aether-arena/ledger/ledger_tools.py

@@ -1,100 +0,0 @@
-#!/usr/bin/env python3
-"""AetherArena append-only, tamper-evident results ledger (ADR-149 §2.3/§2.4).
-
-Each row is hash-chained to the previous one: ``row_hash = sha256(canonical_row
-+ prev_hash)``. Any silent edit to an earlier row breaks every subsequent
-``prev_hash`` link, so the ledger is append-only and verifiable by anyone — no
-trust in the maintainer required. (Ed25519 row signing is the next hardening;
-the chain already makes tampering detectable.)
-
-Usage:
-    python ledger_tools.py seed        # (re)build ledger.jsonl with genesis + baseline
-    python ledger_tools.py verify      # verify the whole chain  -> exit 0 / 1
-    python ledger_tools.py append '<json-row>'   # append one scored row
-"""
-import hashlib
-import json
-import sys
-from pathlib import Path
-
-LEDGER = Path(__file__).parent / "ledger.jsonl"
-GENESIS_PREV = "0" * 64
-
-
-def canonical(row: dict) -> bytes:
-    # Stable key order, no whitespace -> deterministic bytes for hashing.
-    body = {k: row[k] for k in sorted(row) if k != "row_hash"}
-    return json.dumps(body, separators=(",", ":"), sort_keys=True).encode()
-
-
-def row_hash(row: dict) -> str:
-    return hashlib.sha256(canonical(row)).hexdigest()
-
-
-def read_rows() -> list[dict]:
-    if not LEDGER.exists():
-        return []
-    return [json.loads(l) for l in LEDGER.read_text().splitlines() if l.strip()]
-
-
-def append(entry: dict) -> dict:
-    rows = read_rows()
-    prev = rows[-1]["row_hash"] if rows else GENESIS_PREV
-    entry = dict(entry)
-    entry["seq"] = len(rows)
-    entry["prev_hash"] = prev
-    entry["row_hash"] = row_hash(entry)
-    with LEDGER.open("a") as f:
-        f.write(json.dumps(entry, sort_keys=True) + "\n")
-    return entry
-
-
-def verify() -> bool:
-    rows = read_rows()
-    prev = GENESIS_PREV
-    for i, r in enumerate(rows):
-        if r.get("seq") != i:
-            print(f"FAIL: row {i} seq mismatch ({r.get('seq')})")
-            return False
-        if r.get("prev_hash") != prev:
-            print(f"FAIL: row {i} prev_hash broken — ledger was edited")
-            return False
-        if r.get("row_hash") != row_hash(r):
-            print(f"FAIL: row {i} row_hash mismatch — row was tampered")
-            return False
-        prev = r["row_hash"]
-    print(f"OK: {len(rows)} rows, chain intact")
-    return True
-
-
-def seed():
-    """Rebuild with the genesis row only — an EMPTY board.
-
-    Benchmark-first: no placeholder/hand-entered numbers ever sit on the
-    leaderboard. Every result row is produced by the real scoring pipeline
-    (load model -> run inference -> score against the private eval split ->
-    proof hash). The board starts empty and awaits the first real harness score,
-    including RuView's own — which gets no special seeding.
-    """
-    if LEDGER.exists():
-        LEDGER.unlink()
-    append({
-        "kind": "genesis",
-        "benchmark": "AetherArena",
-        "spec": "ADR-149",
-        "note": "Official Spatial-Intelligence Benchmark — append-only signed ledger. "
-                "Entries are real harness scores only; no seeded numbers.",
-        "created": "2026-05-30",
-    })
-
-
-if __name__ == "__main__":
-    cmd = sys.argv[1] if len(sys.argv) > 1 else "verify"
-    if cmd == "seed":
-        seed(); verify()
-    elif cmd == "verify":
-        sys.exit(0 if verify() else 1)
-    elif cmd == "append":
-        print(json.dumps(append(json.loads(sys.argv[2])), indent=2))
-    else:
-        print(__doc__); sys.exit(2)

aether-arena/schema/aa-submission.toml

@@ -1,41 +0,0 @@
-# AetherArena submission manifest (ADR-149 §2.2).
-# Accompanies a model artifact pushed to the AA Hugging Face Space.
-# This file is the contract the Space validates before quarantine + scoring.
-
-[submission]
-# Free-form display name shown on the leaderboard.
-name = "my-spatial-model"
-# Hugging Face repo or URL of the model artifact (.safetensors / .rvf / LoRA adapter).
-model_ref = "hf://your-org/your-model"
-# Submitter handle (HF username / org). Used to sign the ledger row.
-submitter = "your-hf-username"
-# SPDX license of the submitted model.
-license = "Apache-2.0"
-
-[category]
-# One of: pose | presence | tracking | vitals | multi-task
-# v0 ranks: pose, presence (tracking/vitals activate when ground truth lands).
-primary = "pose"
-
-[input]
-# Which ADR-145 FeatureSet the model consumes. v0 input is RF/WiFi CSI.
-#   F0 = CSI amplitude/phase   F1 = +CIR   F2 = +Doppler   F3 = +BFLD
-feature_set = "F0"
-# Tensor I/O contract so the scorer can feed the model correctly.
-input_shape = [114, 2]      # subcarriers × {amp, phase}  (example)
-output_shape = [17, 2]      # 17 keypoints × {x, y} normalised [0,1]
-# Normalisation expected on the input ("none" | "zscore" | "minmax").
-normalization = "zscore"
-
-[runtime]
-# Inference entrypoint inside the artifact (framework-specific).
-framework = "candle"        # candle | onnx | torch
-# Optional: target the edge-latency category with a declared device class.
-device_class = "cpu"        # cpu | pi5 | gpu
-
-# Notes:
-# - You submit a MODEL, never predictions on data you hold.
-# - Scoring runs against a PRIVATE MM-Fi held-out split in a no-network,
-#   read-only sandbox. You cannot see the eval data.
-# - The resulting score is a signed, append-only ledger row carrying a
-#   determinism proof hash and the pinned harness_version.

aether-arena/space/README.md

@@ -1,37 +0,0 @@
----
-title: AetherArena — Spatial-Intelligence Benchmark
-emoji: 📡
-colorFrom: indigo
-colorTo: purple
-sdk: gradio
-sdk_version: 5.9.1
-python_version: "3.12"
-app_file: app.py
-pinned: true
-license: cc-by-nc-4.0
-tags:
-  - benchmark
-  - leaderboard
-  - wifi-sensing
-  - spatial-intelligence
-  - pose-estimation
----
-
-# AetherArena ("AA") — The Official Spatial-Intelligence Benchmark
-
-> Public leaderboard. Private evaluation split. Open scorer. Signed results.
-
-The field's standard yardstick for camera-free **spatial intelligence** (pose, presence,
-occupancy, tracking, vitals) from RF/WiFi and, over time, mmWave / UWB / multimodal.
-
-- **Project-agnostic** — any team, framework, or modality enters; RuView donated the seed
-  scorer and is scored like everyone else.
-- **Benchmark-first** — the board starts empty; every row is a real scoring-pipeline
-  **witness** (`inputs_sha256` + `proof_sha256` + `harness_version`) in an append-only,
-  hash-chained, tamper-evident ledger.
-- **Reproducible** — the scorer is open; reproduce any proof hash + repeatability locally.
-
-Spec: [ADR-149](https://github.com/ruvnet/RuView/blob/main/docs/adr/ADR-149-public-community-leaderboard-huggingface.md).
-Source + open scorer: https://github.com/ruvnet/RuView/tree/main/aether-arena
-
-Non-commercial (CC BY-NC 4.0): the v0 eval split derives from MM-Fi (CC BY-NC); AA is operated non-commercially.

aether-arena/space/app.py

@@ -1,161 +0,0 @@
-"""AetherArena ("AA") — The Official Spatial-Intelligence Benchmark.
-
-Hugging Face Space (Gradio) — the public face of the benchmark (ADR-149).
-This Space is the presentation + submission layer; the heavy scoring runs in the
-pinned RuView harness (CI / scorer container), and results land in the append-only,
-hash-chained **witness ledger** shown here.
-
-Benchmark-first: the board starts EMPTY. No seeded or hand-entered numbers — every
-row is a real scoring-pipeline witness (inputs_sha256 + proof_sha256 + harness_version).
-"""
-import hashlib
-import json
-from pathlib import Path
-
-import gradio as gr
-
-LEDGER = Path(__file__).parent / "ledger.jsonl"
-GENESIS_PREV = "0" * 64
-
-
-def _rows():
-    if not LEDGER.exists():
-        return []
-    return [json.loads(l) for l in LEDGER.read_text().splitlines() if l.strip()]
-
-
-def _canon(row: dict) -> bytes:
-    body = {k: row[k] for k in sorted(row) if k != "row_hash"}
-    return json.dumps(body, separators=(",", ":"), sort_keys=True).encode()
-
-
-def verify_chain():
-    rows, prev = _rows(), GENESIS_PREV
-    for i, r in enumerate(rows):
-        if r.get("prev_hash") != prev or r.get("row_hash") != hashlib.sha256(_canon(r)).hexdigest():
-            return f"❌ Ledger chain BROKEN at row {i} — tampering detected."
-        prev = r["row_hash"]
-    return f"✅ Witness ledger chain intact — {len(rows)} row(s), append-only."
-
-
-def leaderboard(category: str):
-    results = [r for r in _rows() if r.get("kind") == "result" and (category == "all" or r.get("category") == category)]
-    if not results:
-        return [["— no entries yet —", "", "", "", "", ""]]
-    results.sort(key=lambda r: r.get("score_pct") or 0, reverse=True)
-    return [[
-        r.get("submitter", "?"),
-        r.get("model_ref", "?"),
-        f"{r.get('benchmark','?')} / {r.get('protocol','?')}",
-        r.get("metric", "?"),
-        f"{r.get('score_pct', 0):.2f}%",
-        f"{r.get('tier','?')} (vs {r.get('sota_ref','?')})",
-    ] for r in results]
-
-
-FOUR_PART = "### Public leaderboard. Private evaluation split. Open scorer. Signed results."
-
-ABOUT = """
-**AetherArena** is the official, project-agnostic **Spatial-Intelligence Benchmark** —
-camera-free pose, presence, occupancy, tracking, and vitals from RF/WiFi (and, over
-time, mmWave / UWB / radar / multimodal). It is **not** a single-vendor board: any
-team, framework, or modality enters, and every entrant — including the RuView baseline
-that donated the seed scorer — is scored by the identical, open, pinned harness.
-
-The scorer reuses RuView's released `wifi-densepose-train` acceptance harness
-(`ruview_metrics` + ablation). You submit a **model, not predictions**; it is scored
-against a **private** MM-Fi held-out split; one **witness** row (inputs hash + proof
-hash + harness version) is appended to a **hash-chained, tamper-evident ledger**.
-
-**For industry:** a vendor-neutral, auditable way to compare RF-sensing models on equal
-footing — the same standardized splits, the same metric definition, the same signed,
-reproducible ledger. No more "trust our number on our split." Vendors, labs, and startups
-all submit through one pipeline and are scored identically.
-
-**Generalization Track (roadmap):** the headline isn't a single in-domain number — it's a
-battery of honest tracks: MM-Fi `random_split` (in-domain), `cross_subject` (unseen people),
-cross-room, cross-device, and confidence-calibration (ECE). Cross-subject is the real
-deployment frontier and is treated as the flagship hard benchmark.
-
-Spec: ADR-149. v0 ranks **pose, presence, edge-latency, determinism**. Tracking &
-vitals activate when their ground truth lands; **privacy-leakage** is gated until the
-membership-inference attacker ships. Source + the open scorer:
-https://github.com/ruvnet/RuView/tree/main/aether-arena
-"""
-
-SUBMIT = """
-### Submit a model
-
-1. Write a manifest — [`schema/aa-submission.toml`](https://github.com/ruvnet/RuView/blob/main/aether-arena/schema/aa-submission.toml):
-   declare your model ref, category, the ADR-145 feature set (F0 CSI … F3 BFLD), and the tensor I/O contract.
-2. Provide your model artifact (`.safetensors` / `.rvf` / LoRA adapter).
-3. It moves through `submitted → validated → quarantined → smoke_scored → full_scored → published`,
-   scored in a no-network, read-only sandbox against the private split.
-4. Your signed witness row appears on the leaderboard.
-
-**You submit a model, never predictions** — predictions on data you hold prove nothing.
-"""
-
-VERIFY = """
-### Verify it's fair (you don't have to trust us)
-
-The scorer is open and reproducible. Reproduce the determinism proof + repeatability locally:
-
-```bash
-git clone https://github.com/ruvnet/RuView && cd RuView/v2
-# determinism gate (same as CI):
-cargo run -q -p wifi-densepose-train --bin aa_score_runner --no-default-features
-# repeatability — N runs, one identical proof hash:
-cargo run -q -p wifi-densepose-train --bin aa_score_runner --no-default-features -- --repeat 16
-# verify the append-only witness ledger chain:
-cd ../aether-arena/ledger && python3 ledger_tools.py verify
-```
-
-A stranger must be able to: submit → get a deterministic score → see the signed row →
-rerun the scorer locally → understand why the rank is fair. That is the launch gate (ADR-149 §7).
-"""
-
-with gr.Blocks(title="AetherArena — Spatial-Intelligence Benchmark") as demo:
-    gr.Markdown("# 📡 AetherArena (AA)\n## The Official, Vendor-Neutral Benchmark for WiFi / RF Spatial Sensing")
-    gr.Markdown(FOUR_PART)
-    gr.Markdown(
-        "**An open industry benchmark — for everyone, not any one vendor.** Submit any model, any framework, "
-        "any modality. Every entrant — academic, startup, or incumbent — is scored *identically*: standardized "
-        "protocols (MM-Fi `random_split` / `cross_subject`), matched metrics (torso-PCK@20, the published "
-        "definition), and an auditable, hash-chained **witness ledger** anyone can verify and reproduce.\n\n"
-        "**Why it exists:** WiFi/RF-sensing results are reported with inconsistent splits, metrics, and no "
-        "auditability — so numbers aren't comparable. AetherArena fixes the *measurement*: one protocol, one "
-        "metric, one signed ledger, one-command reproduction. The benchmark is the product; the leaderboard is "
-        "just the scoreboard. (Reference implementation seeded by RuView, ADR-149.)"
-    )
-    chain = gr.Markdown(verify_chain())
-
-    with gr.Tab("🏆 Leaderboard"):
-        gr.Markdown(
-            "### Current standings — MM-Fi WiFi-CSI 2D pose, torso-PCK@20\n"
-            "Ranked, protocol- & metric-matched results. Each row carries its own caveats in the ledger "
-            "(e.g. `random_split` has temporal-adjacency leakage that inflates *all* methods equally — the "
-            "leakage-free `cross_subject` track is the real deployment frontier). **Submit yours — top the board.**"
-        )
-        cat = gr.Dropdown(["all", "pose", "presence"], value="all", label="Category")
-        tbl = gr.Dataframe(
-            headers=["Submitter", "Model", "Benchmark / Protocol", "Metric", "Score", "Tier (vs prior SOTA)"],
-            value=leaderboard("all"), interactive=False, wrap=True,
-        )
-        cat.change(leaderboard, cat, tbl)
-        gr.Markdown(
-            "*Vendor-neutral & benchmark-first: every row is a real, metric- and protocol-matched result — "
-            "no seeded or vendor-favored numbers. Integrity is enforced, not promised: the current top entry's "
-            "score was self-corrected down from an inflated metric (91.86% bbox → 81.63% torso) before it could "
-            "be published. The same scorer and ledger apply to every submitter.*"
-        )
-
-    with gr.Tab("📤 Submit"):
-        gr.Markdown(SUBMIT)
-    with gr.Tab("🔬 Verify"):
-        gr.Markdown(VERIFY)
-    with gr.Tab("ℹ️ About"):
-        gr.Markdown(ABOUT)
-
-if __name__ == "__main__":
-    demo.launch(server_name="0.0.0.0", server_port=7860)

aether-arena/space/ledger.jsonl

@@ -1,5 +0,0 @@
-{"benchmark": "AetherArena", "created": "2026-05-30", "kind": "genesis", "note": "Official Spatial-Intelligence Benchmark \u2014 append-only signed ledger. Entries are real harness scores only; no seeded numbers.", "prev_hash": "0000000000000000000000000000000000000000000000000000000000000000", "row_hash": "940bdc6f0f5dd00f4d89e13a8fa843bab3c9ddf1b8051f426a1701e730249231", "seq": 0, "spec": "ADR-149"}
-{"abs_gain": "+9.38", "benchmark": "MM-Fi", "category": "pose", "caveat": "Protocol-matched MM-Fi random_split result; NOT solved real-world generalization. Random split has temporal/subject-adjacency effects common to this benchmark family. Leakage-free cross-subject is far lower (~11-27%) and is the real deployment frontier.", "harness_version": 1, "kind": "result", "metric": "torso-PCK@20 (||right_shoulder-left_hip|| norm, 17 COCO kpts)", "modality": "wifi-csi", "model_ref": "RuView CSI-Transformer (4L/8H ~2M params, temporal-attention)", "prev_hash": "940bdc6f0f5dd00f4d89e13a8fa843bab3c9ddf1b8051f426a1701e730249231", "protocol": "random_split (ratio=0.8, seed=0)", "rel_gain": "+13.0%", "reproduce": "download MM-Fi -> parse_mmfi_zips.py -> train_tf_torso.py X.npy Y.npy split_random.npy (seed 0)", "row_hash": "76598d8e1320d5248f8cd854a8ffa22a99bd2a2f0e0e7f2d2b1df79af16001d5", "score_pct": 81.63, "scored_at": "2026-05-30", "seq": 1, "sota_ref": "MultiFormer 72.25 (CSI2Pose 68.41)", "submitter": "ruvnet", "tier": "Gold"}
-{"abs_gain": "+11.34", "benchmark": "MM-Fi", "category": "pose", "harness_version": 1, "kind": "result", "metric": "torso-PCK@20", "modality": "wifi-csi", "model_ref": "RuView CSI-Transformer + skeleton-graph head + 3-ensemble + TTA", "note": "Best in-domain. Stacks attention-pooling + transformer + skeleton-graph refine + warmup + TTA + 3-model ensemble. Supersedes the 81.63 single-model entry.", "prev_hash": "76598d8e1320d5248f8cd854a8ffa22a99bd2a2f0e0e7f2d2b1df79af16001d5", "protocol": "random_split (0.8, seed 0)", "row_hash": "5780a4bc3e98eb0e30c1ecfa9091e57b280444fa1f21cd5146797e408580e4ab", "score_pct": 83.59, "scored_at": "2026-05-30", "seq": 2, "sota_ref": "MultiFormer 72.25 (CSI2Pose 68.41)", "submitter": "ruvnet", "tier": "Gold"}
-{"benchmark": "MM-Fi", "category": "pose", "harness_version": 1, "kind": "result", "metric": "torso-PCK@20", "modality": "wifi-csi", "model_ref": "RuView CSI-Transformer", "note": "Leakage-free generalization to unseen people, shared rooms. Honest deployment-relevant number.", "prev_hash": "5780a4bc3e98eb0e30c1ecfa9091e57b280444fa1f21cd5146797e408580e4ab", "protocol": "cross_subject (official, val=S05,S10,..,S40)", "row_hash": "d989e4e1dbc0182610305fdfbde8b094413b87c913283a46bf41f4afba7a06fd", "score_pct": 64.04, "scored_at": "2026-05-30", "seq": 3, "sota_ref": "(no matched public ref)", "submitter": "ruvnet", "tier": "Silver"}
-{"benchmark": "MM-Fi", "category": "pose", "harness_version": 1, "kind": "result", "metric": "torso-PCK@20", "modality": "wifi-csi", "model_ref": "RuView CSI-Transformer + CORAL domain alignment", "note": "The real deployment frontier (new room). CORAL transductive DG (+30% rel over control). Data-bound: MM-Fi has only 3 source rooms.", "prev_hash": "d989e4e1dbc0182610305fdfbde8b094413b87c913283a46bf41f4afba7a06fd", "protocol": "cross_environment (train E01-03 -> test E04, new room)", "row_hash": "bf370487bde88e198c13877956dab3c83766a6a24afef0b78b6ac7aa130bb207", "score_pct": 17.51, "scored_at": "2026-05-30", "seq": 4, "sota_ref": "(hard frontier; control 13.52)", "submitter": "ruvnet", "tier": "Bronze"}

aether-arena/space/requirements.txt

@@ -1 +0,0 @@
-gradio==5.9.1

archive/v1/data/proof/cir_verify_helper.py

@@ -1,130 +0,0 @@
-#!/usr/bin/env python3
-"""
-CIR Verification Helper (ADR-134)
-
-Optional Python comparator — invokes the Rust cir_proof_runner binary and
-checks its output against expected_cir_features.sha256.
-
-Usage:
-  python cir_verify_helper.py              # verify against stored hash
-  python cir_verify_helper.py --generate  # regenerate hash via Rust binary
-
-This script is a thin wrapper; all cryptographic work is done in the Rust
-binary. It exists to integrate the CIR proof step into the Python verify.py
-flow if needed.
-"""
-
-import argparse
-import os
-import subprocess
-import sys
-
-SCRIPT_DIR = os.path.dirname(os.path.abspath(__file__))
-REPO_ROOT = os.path.abspath(os.path.join(SCRIPT_DIR, "..", "..", "..", ".."))
-
-
-def find_binary() -> str:
-    """Locate the cir_proof_runner binary."""
-    candidates = [
-        os.path.join(REPO_ROOT, "v2", "target", "release", "cir_proof_runner"),
-        os.path.join(REPO_ROOT, "v2", "target", "release", "cir_proof_runner.exe"),
-        os.path.join(REPO_ROOT, "v2", "target", "debug", "cir_proof_runner"),
-        os.path.join(REPO_ROOT, "v2", "target", "debug", "cir_proof_runner.exe"),
-    ]
-    for path in candidates:
-        if os.path.isfile(path):
-            return path
-    return ""
-
-
-def build_binary() -> bool:
-    """Build the release binary via cargo."""
-    print("Building cir_proof_runner (release)...")
-    result = subprocess.run(
-        [
-            "cargo", "build",
-            "-p", "wifi-densepose-signal",
-            "--bin", "cir_proof_runner",
-            "--release",
-            "--no-default-features",
-        ],
-        cwd=os.path.join(REPO_ROOT, "v2"),
-        capture_output=True,
-        text=True,
-    )
-    if result.returncode != 0:
-        print("Build failed:", result.stderr[-2000:])
-        return False
-    return True
-
-
-def run_generate(binary: str) -> str:
-    """Run the binary with --generate-hash; return the hex hash."""
-    result = subprocess.run(
-        [binary, "--generate-hash"],
-        cwd=REPO_ROOT,
-        capture_output=True,
-        text=True,
-    )
-    if result.returncode != 0:
-        print("Error running binary:", result.stderr)
-        return ""
-    return result.stdout.strip()
-
-
-def run_verify(binary: str) -> bool:
-    """Run the binary in verify mode; return True on PASS."""
-    result = subprocess.run(
-        [binary],
-        cwd=REPO_ROOT,
-        capture_output=True,
-        text=True,
-    )
-    print(result.stdout.strip())
-    if result.stderr.strip():
-        print(result.stderr.strip(), file=sys.stderr)
-    return result.returncode == 0
-
-
-def main() -> None:
-    parser = argparse.ArgumentParser(description="CIR verification helper (ADR-134)")
-    parser.add_argument(
-        "--generate",
-        action="store_true",
-        help="Regenerate expected_cir_features.sha256 via Rust binary",
-    )
-    parser.add_argument(
-        "--build",
-        action="store_true",
-        default=False,
-        help="Build the binary before running (default: use cached binary)",
-    )
-    args = parser.parse_args()
-
-    binary = find_binary()
-
-    if args.build or not binary:
-        if not build_binary():
-            sys.exit(1)
-        binary = find_binary()
-
-    if not binary:
-        print("ERROR: cir_proof_runner binary not found. Run with --build.")
-        sys.exit(1)
-
-    if args.generate:
-        hash_val = run_generate(binary)
-        if not hash_val:
-            sys.exit(1)
-        hash_file = os.path.join(SCRIPT_DIR, "expected_cir_features.sha256")
-        with open(hash_file, "w") as f:
-            f.write(hash_val + "\n")
-        print(f"Wrote CIR hash to {hash_file}")
-        print(f"Hash: {hash_val}")
-    else:
-        ok = run_verify(binary)
-        sys.exit(0 if ok else 1)
-
-
-if __name__ == "__main__":
-    main()

archive/v1/data/proof/expected_calibration_features.sha256

@@ -1 +0,0 @@
-d6bce07ecb1648e6936561df44bf4a3bfc17bb0ba5f692646b2301d105b52f67

archive/v1/data/proof/expected_cir_features.sha256

@@ -1 +0,0 @@
-304d54690af468dc6cbf0f2a1332f109cf187d5e2eab454efd8554cebc45bdeb

archive/v1/data/proof/expected_features.sha256

@@ -1 +1 @@
-f8e76f21a0f9852b70b6d9dd5318239f6b20cbcb4cdd995863263cecdc446f7a
+667eb054c44ac510342665bf9c93d608868a8ead948ae8774b2796ebce6f8fe7

archive/v1/data/proof/verify.py

@@ -185,14 +185,7 @@ def frame_to_csi_data(frame, signal_meta):
 # observed pipeline-amplified ULP drift and is still far below any meaningful
 # signal change (CSI phase precision is ~1e-3 rad; PSD bins differ by orders
 # of magnitude). Round to this precision, then hash.
-#
-# NOTE: 6 decimals collapses the divergence *across Linux microarchitectures*
-# but NOT Windows-vs-Linux, where the pocketfft/BLAS difference exceeds 1e-6 on
-# a few elements that then straddle the 6th-decimal rounding boundary. The
-# precision is overridable via PROOF_HASH_DECIMALS so it can be coarsened to a
-# value that is boundary-stable across *all* platforms (Windows + Linux + macOS)
-# while staying far below any signal-meaningful change.
-HASH_QUANTIZATION_DECIMALS = int(os.environ.get("PROOF_HASH_DECIMALS", "6"))
+HASH_QUANTIZATION_DECIMALS = 6
 
 
 def features_to_bytes(features):
@@ -212,20 +205,13 @@ def features_to_bytes(features):
     """
     parts = []
 
-    # Serialize each feature array in declaration order.
-    # doppler_shift is INTENTIONALLY excluded: it is peak-normalized
-    # (`spectrum / max(spectrum)` in csi_processor._extract_doppler_features),
-    # and when the raw spectrum has near-tied peaks the argmax flips under
-    # cross-microarchitecture FP reordering, renormalizing the whole array
-    # (O(1) divergence — not absorbable by any tolerance). The remaining five
-    # features, including the FFT-based PSD, reproduce deterministically and
-    # provide the proof. (The underlying doppler instability is a production
-    # reproducibility bug tracked separately.)
+    # Serialize each feature array in declaration order
     for array in [
         features.amplitude_mean,
         features.amplitude_variance,
         features.phase_difference,
         features.correlation_matrix,
+        features.doppler_shift,
         features.power_spectral_density,
     ]:
         flat = np.asarray(array, dtype=np.float64).ravel()
@@ -239,45 +225,6 @@ def features_to_bytes(features):
     return b"".join(parts)
 
 
-# ── Cross-platform tolerance gate (issue #560 follow-up) ─────────────────────
-# The SHA-256 of fixed-decimal-rounded features is bit-exact only WITHIN one
-# CPU microarchitecture. The pocketfft / BLAS kernels in the manylinux
-# numpy/scipy wheels reorder floating-point reductions differently across
-# microarchs (e.g. a GitHub Azure runner vs a developer box vs another Linux
-# host), and the resulting ~1e-6 *relative* drift lands on large-magnitude PSD
-# bins as an absolute difference too large for ANY fixed-decimal grid to absorb
-# (empirically the hash diverges across microarchs even at 2 decimals). So:
-#   • the hash is the strong, bit-exact, SAME-platform proof, and
-#   • a relative tolerance against a committed reference vector is the
-#     platform-INDEPENDENT proof.
-# A run PASSES if either matches. Tolerances sit ~100x over the observed
-# microarch drift and ~10x under any signal-meaningful change (CSI phase
-# precision ~1e-3 rad), so real pipeline regressions still fail.
-TOLERANCE_RTOL = 1e-4
-TOLERANCE_ATOL = 1e-6
-REFERENCE_VECTOR_FILENAME = "expected_features_reference.npz"
-
-
-def features_to_vector(features):
-    """Concatenate a frame's feature arrays as raw float64 (no rounding).
-
-    Mirrors ``features_to_bytes`` ordering but keeps full precision, for the
-    tolerance-based cross-platform comparison.
-    """
-    # doppler_shift excluded — see features_to_bytes for the rationale
-    # (peak-normalization argmax instability across CPU microarchitectures).
-    arrays = [
-        features.amplitude_mean,
-        features.amplitude_variance,
-        features.phase_difference,
-        features.correlation_matrix,
-        features.power_spectral_density,
-    ]
-    return np.concatenate(
-        [np.asarray(a, dtype=np.float64).ravel() for a in arrays]
-    )
-
-
 def compute_pipeline_hash(data_path, verbose=False):
     """Run the full pipeline and compute the SHA-256 hash of all features.
 
@@ -320,7 +267,6 @@ def compute_pipeline_hash(data_path, verbose=False):
     features_count = 0
     total_feature_bytes = 0
     last_features = None
-    feature_vectors = []
     doppler_nonzero_count = 0
     doppler_shape = None
     psd_shape = None
@@ -337,7 +283,6 @@ def compute_pipeline_hash(data_path, verbose=False):
         if features is not None:
             feature_bytes = features_to_bytes(features)
             hasher.update(feature_bytes)
-            feature_vectors.append(features_to_vector(features))
             features_count += 1
             total_feature_bytes += len(feature_bytes)
             last_features = features
@@ -406,11 +351,7 @@ def compute_pipeline_hash(data_path, verbose=False):
         "psd_shape": psd_shape,
     }
 
-    reference_vector = (
-        np.concatenate(feature_vectors) if feature_vectors else np.array([], dtype=np.float64)
-    )
-
-    return hasher.hexdigest(), reference_vector, stats
+    return hasher.hexdigest(), stats
 
 
 def audit_codebase(base_dir=None):
@@ -526,7 +467,7 @@ def main():
     print("    This runs the SAME CSIProcessor.preprocess_csi_data() and")
     print("    CSIProcessor.extract_features() used in production.")
     print()
-    computed_hash, computed_vector, stats = compute_pipeline_hash(data_path, verbose=args.verbose)
+    computed_hash, stats = compute_pipeline_hash(data_path, verbose=args.verbose)
 
     # ---------------------------------------------------------------
     # Step 3: Hash comparison
@@ -538,11 +479,8 @@ def main():
         with open(hash_path, "w") as f:
             f.write(computed_hash + "\n")
         print(f"    Wrote expected hash to {hash_path}")
-        ref_path = os.path.join(SCRIPT_DIR, REFERENCE_VECTOR_FILENAME)
-        np.savez_compressed(ref_path, features=computed_vector)
-        print(f"    Wrote reference vector ({computed_vector.size} values) to {ref_path}")
         print()
-        print("  HASH + REFERENCE GENERATED -- run without --generate-hash to verify.")
+        print("  HASH GENERATED -- run without --generate-hash to verify.")
         print("=" * 72)
         return
 
@@ -561,70 +499,13 @@ def main():
 
     print(f"    Expected: {expected_hash}")
 
-    hash_match = computed_hash == expected_hash
-
-    # Cross-platform fallback: if the bit-exact hash differs (different CPU
-    # microarchitecture reorders the pocketfft/BLAS reductions), accept the run
-    # when the raw feature vector matches the committed reference within a
-    # relative tolerance — platform-independent where the hash is not (#560).
-    tolerance_match = False
-    max_abs_dev = None
-    max_rel_dev = None
-    ref_path = os.path.join(SCRIPT_DIR, REFERENCE_VECTOR_FILENAME)
-    if not hash_match and os.path.exists(ref_path):
-        ref_vec = np.load(ref_path)["features"]
-        if ref_vec.shape == computed_vector.shape:
-            tolerance_match = bool(
-                np.allclose(
-                    computed_vector, ref_vec, rtol=TOLERANCE_RTOL, atol=TOLERANCE_ATOL
-                )
-            )
-            diff = np.abs(computed_vector - ref_vec)
-            max_abs_dev = float(np.max(diff)) if diff.size else 0.0
-            max_rel_dev = (
-                float(np.max(diff / np.maximum(np.abs(ref_vec), 1e-12)))
-                if diff.size
-                else 0.0
-            )
-
-    if hash_match:
-        match_status = "MATCH (bit-exact)"
-    elif tolerance_match:
-        match_status = f"TOLERANCE MATCH (max rel dev {max_rel_dev:.2e})"
+    if computed_hash == expected_hash:
+        match_status = "MATCH"
     else:
         match_status = "MISMATCH"
     print(f"    Status:   {match_status}")
     print()
 
-    if not hash_match and max_abs_dev is not None:
-        block_sizes = [56, 56, 55, 9, 128]  # per-frame feature layout (doppler excluded)
-        block_names = ["amp_mean", "amp_var", "phase_diff", "corr", "psd"]
-        frame_len = sum(block_sizes)
-        tol = TOLERANCE_ATOL + TOLERANCE_RTOL * np.abs(ref_vec)
-        outside = diff > tol
-        n_out = int(outside.sum())
-        print(
-            f"    DIVERGENCE: {n_out}/{computed_vector.size} outside tol "
-            f"({100.0 * n_out / computed_vector.size:.4f}%)  "
-            f"max|d|={max_abs_dev:.3e} maxrel={max_rel_dev:.3e}"
-        )
-        if n_out:
-            wf = np.where(outside)[0] % frame_len
-            bounds = np.cumsum([0] + block_sizes)
-            parts = []
-            for bi, name in enumerate(block_names):
-                c = int(((wf >= bounds[bi]) & (wf < bounds[bi + 1])).sum())
-                if c:
-                    parts.append(f"{name}={c}")
-            print(f"    by feature: {', '.join(parts)}")
-            for w in np.argsort(diff)[::-1][:4]:
-                b = int(np.searchsorted(bounds, int(w) % frame_len, side="right")) - 1
-                print(
-                    f"      worst idx {int(w)} ({block_names[b]}): "
-                    f"ref={ref_vec[int(w)]:.6g} got={computed_vector[int(w)]:.6g}"
-                )
-        print()
-
     # ---------------------------------------------------------------
     # Step 4: Audit (if requested or always in full mode)
     # ---------------------------------------------------------------
@@ -647,22 +528,14 @@ def main():
     # Final verdict
     # ---------------------------------------------------------------
     print("=" * 72)
-    if hash_match or tolerance_match:
+    if computed_hash == expected_hash:
         print("  VERDICT: PASS")
         print()
-        if hash_match:
-            print("  The pipeline produced a SHA-256 hash that matches the published")
-            print("  expected hash (bit-exact). This proves:")
-        else:
-            print("  The bit-exact hash differs (CPU-microarchitecture FP reordering),")
-            print("  but the raw feature vector matches the published reference within")
-            print(
-                f"  rtol={TOLERANCE_RTOL:g} / atol={TOLERANCE_ATOL:g} "
-                f"(max rel dev {max_rel_dev:.2e}). This proves:"
-            )
+        print("  The pipeline produced a SHA-256 hash that matches the published")
+        print("  expected hash. This proves:")
         print("    1. The SAME signal processing code ran on the reference signal")
         print("    2. The output is DETERMINISTIC (same input -> same output)")
-        print("    3. No randomness was introduced")
+        print("    3. No randomness was introduced (hash would differ)")
         print("    4. The code path includes: noise removal, Hamming windowing,")
         print("       amplitude normalization, FFT-based Doppler extraction,")
         print("       and power spectral density computation")
@@ -673,19 +546,14 @@ def main():
     else:
         print("  VERDICT: FAIL")
         print()
-        print("  The pipeline output does NOT match the expected hash OR the")
-        print("  reference feature vector within tolerance.")
-        if max_rel_dev is not None:
-            print(
-                f"    max abs dev: {max_abs_dev:.3e}   max rel dev: {max_rel_dev:.3e}"
-                f"   (rtol={TOLERANCE_RTOL:g}, atol={TOLERANCE_ATOL:g})"
-            )
+        print("  The pipeline output does NOT match the expected hash.")
         print()
         print("  Possible causes:")
+        print("    - Numpy/scipy version mismatch (check requirements)")
         print("    - Code change in CSI processor that alters numerical output")
-        print("    - A real (non-microarch) numerical regression")
+        print("    - Platform floating-point differences (unlikely for IEEE 754)")
         print()
-        print("  To update after an intentional change:")
+        print("  To update the expected hash after intentional changes:")
         print("    python verify.py --generate-hash")
         print("=" * 72)
         sys.exit(1)

archive/v1/requirements-lock.txt

@@ -6,14 +6,8 @@
 #
 # To update: change versions, run `python v1/data/proof/verify.py --generate-hash`,
 # then commit the new expected_features.sha256.
-#
-# numpy/scipy track the versions the *published* expected hash
-# (expected_features.sha256 = ca58956c…) was generated with — modern numpy 2.x,
-# i.e. what a fresh `pip install numpy` and the proof-of-capabilities.md skeptic
-# path produce today. The old 1.26.4 pin no longer matched that hash and made
-# the determinism gate fail against its own published proof.
 
-numpy==2.4.2
-scipy==1.17.1
+numpy==1.26.4
+scipy==1.14.1
 pydantic==2.10.4
 pydantic-settings==2.7.1

archive/v1/src/config/settings.py

@@ -26,12 +26,7 @@ class Settings(BaseSettings):
     workers: int = Field(default=1, description="Number of worker processes")
     
     # Security settings
-    secret_key: str = Field(
-        default="dev-not-secret-CHANGE-IN-PROD",
-        description="Secret key for JWT tokens (production deployments "
-                    "MUST override via SECRET_KEY env or .env; the dev "
-                    "default is rejected by validate_production_config)",
-    )
+    secret_key: str = Field(..., description="Secret key for JWT tokens")
     jwt_algorithm: str = Field(default="HS256", description="JWT algorithm")
     jwt_expire_hours: int = Field(default=24, description="JWT token expiration in hours")
     allowed_hosts: List[str] = Field(default=["*"], description="Allowed hosts")
@@ -163,14 +158,7 @@ class Settings(BaseSettings):
     model_config = SettingsConfigDict(
         env_file=".env",
         env_file_encoding="utf-8",
-        case_sensitive=False,
-        # Tolerate `.env` keys that this Settings model doesn't declare
-        # (e.g., NPM_TOKEN, DOCKER_HUB_TOKEN, PYPI_TOKEN used by other
-        # tooling). Without `extra="ignore"` pydantic-settings 2.x
-        # raises `ValidationError: Extra inputs are not permitted` and
-        # leaks the offending values into the error message — a real
-        # security concern for secret tokens. See verify.py / `./verify`.
-        extra="ignore",
+        case_sensitive=False
     )
     
     @field_validator("environment")

archive/v1/src/hardware/csi_extractor.py

@@ -221,15 +221,11 @@ class ESP32BinaryParser:
 
         snr = float(rssi - noise_floor)
         frequency = float(freq_mhz) * 1e6
+        bandwidth = 20e6  # default; could infer from n_subcarriers
 
-        # Bandwidth inference (issue #1005): HE-LTF uses a 4x denser tone
-        # grid than HT-LTF on the same channel width — an HE-SU frame with
-        # 256 bins (242 active HE20 tones) is a *20 MHz* capture, not 160.
-        if ppdu_byte in (1, 2, 3):  # HE-SU / HE-MU / HE-TB
-            bandwidth = 40e6 if (flags_byte & 0x01) or n_subcarriers > 256 else 20e6
-        elif n_subcarriers <= 64:  # ESP32 HT20 delivers the full 64-bin FFT
+        if n_subcarriers <= 56:
             bandwidth = 20e6
-        elif n_subcarriers <= 128:
+        elif n_subcarriers <= 114:
             bandwidth = 40e6
         elif n_subcarriers <= 242:
             bandwidth = 80e6

archive/v1/src/services/pose_service.py

@@ -107,25 +107,16 @@ class PoseService:
     async def _initialize_models(self):
         """Initialize neural network models."""
         try:
-            # Initialize DensePose model. DensePoseHead requires a config
-            # dict — input_channels matches the modality translator's output
-            # (256), with the standard DensePose 24 body parts and 2 (U,V)
-            # coordinates. (Previously called with no args → TypeError at
-            # startup, which broke the API service.)
-            densepose_config = {
-                'input_channels': 256,
-                'num_body_parts': 24,
-                'num_uv_coordinates': 2,
-            }
+            # Initialize DensePose model
             if self.settings.pose_model_path:
-                self.densepose_model = DensePoseHead(densepose_config)
+                self.densepose_model = DensePoseHead()
                 # Load model weights if path is provided
                 # model_state = torch.load(self.settings.pose_model_path)
                 # self.densepose_model.load_state_dict(model_state)
                 self.logger.info("DensePose model loaded")
             else:
                 self.logger.warning("No pose model path provided, using default model")
-                self.densepose_model = DensePoseHead(densepose_config)
+                self.densepose_model = DensePoseHead()
             
             # Initialize modality translation
             config = {

benchmarks/wiflow-std/.gitignore

@@ -1,26 +0,0 @@
-# Upstream clone (WiFlow-STD, DY2434) -- never commit third-party code/weights
-upstream/
-
-# Local python env
-.venv/
-
-# Downloaded data / artifacts
-data/
-downloads/
-*.pth
-*.pt
-*.npy
-*.npz
-*.zip
-*.mat
-*.safetensors
-results/parity_fixture.json
-__pycache__/
-*.onnx
-
-# Committed ground truth: corruption masks for the pristine Kaggle download.
-# remote/clean_v2.py zeroes the corrupted source windows IN PLACE, so these
-# masks CANNOT be regenerated from a cleaned copy (generate_corruption_masks.py
-# documents the criteria and reproduces them only from a fresh download).
-!results/nan_windows_mask.npy
-!results/big_windows_mask.npy

benchmarks/wiflow-std/RESULTS.md

@@ -1,486 +0,0 @@
-# WiFlow-STD (DY2434) Benchmark Results — ADR-152 §2.2
-
-Upstream: <https://github.com/DY2434/WiFlow-WiFi-Pose-Estimation-with-Spatio-Temporal-Decoupling>
-pinned at `06899d29` (2026-04-05), Apache-2.0. Dataset: Kaggle `kaka2434/wiflow-dataset`
-(12.8 GB archive → 15.5 GB extracted; 360,000 windows of 540×20 CSI + 15-keypoint 2D labels).
-
-Published claims (README "Setting 1"): PCK@20 97.25%, PCK@30 98.63%, PCK@40 99.16%,
-PCK@50 99.48%, MPJPE 0.007 m, 2.23M params, 0.07 GFLOPs.
-
-## Measurement (a): their model on their data
-
-### Artifact verification (MEASURED, 2026-06-10, this repo `eval_repro.py`)
-
-| Check | Result |
-|---|---|
-| Parameter count | **2,225,042 (2.23M) — matches claim** |
-| FLOPs (torch profiler, batch 1) | ~0.055 GFLOPs — consistent with 0.07B claim |
-| CPU latency (Windows box, torch 2.12 CPU) | 13.2 ms/window @ batch 1 (76/s); 2.48 ms/sample @ batch 64 (403/s) |
-| Checkpoint load | `weights_only=True` (no pickle code execution) |
-
-### Released checkpoint does NOT reproduce the claims — REFUTED as shipped
-
-Running the released `best_pose_model.pth` through the released code on the released
-dataset with the released split procedure (seed-42 file-level 70/15/15; 54,000 test
-samples) yields:
-
-| Metric | Published | Measured (shipped checkpoint) |
-|---|---|---|
-| PCK@20 | 97.25% | **0.08%** |
-| PCK@30 | 98.63% | 0.78% |
-| PCK@40 | 99.16% | 5.53% |
-| PCK@50 | 99.48% | 15.42% |
-| MPJPE | 0.007 | **NaN** (dataset contains NaN CSI windows) |
-
-Raw output: `results/repro_a.json`.
-
-Diagnostics (on 2,000 NaN-free windows from the first files of the dataset, i.e.
-mostly would-be *training* data — so this is not a split mismatch):
-
-- Predictions correlate with targets (Pearson r ≈ 0.76) — the checkpoint is a trained
-  model, but in a **different keypoint normalization/order** than the released data.
-- Best-case post-hoc global per-axis affine correction: PCK@20 ≈ 20%.
-- Best-case per-keypoint affine correction (15×2 fitted transforms — generous
-  cheating): PCK@20 ≈ 72%, still far below 97.25%.
-- Pred↔target keypoint correspondence matrix is degenerate (multiple predicted
-  keypoints best-match the same target joint) — keypoint convention mismatch.
-
-### Reproducibility defects in the released artifacts
-
-1. `models/__init__.py` imports `TemporalConvNet`, which `models/tcn.py` does not
-   define — **the published code does not import/run as-is**.
-2. The released root checkpoint uses pre-rename module names (`att.*`, `final_conv.*`)
-   vs the published code (`attention.*`, `decoder.*`) — same shapes/param count, but
-   confirms the checkpoint predates the published code.
-3. The second shipped checkpoint (`cross_dataset_test/WiFlow/best_pose_model.pth`) is
-   a **different architecture** (342-channel input = MM-Fi layout, 3 TCN layers,
-   3-channel/3D decoder) — not usable on their own dataset.
-4. `run.py` ignores `--data_dir` and hardcodes `../preprocessed_csi_data`.
-5. The released dataset's final 13 files (indices 487–499; 9,072 windows, 2.52%)
-   are corrupted: NaN values plus garbage amplitudes up to 3.4e38 (float32 max) in
-   data that is otherwise [0,1]-normalized. Upstream code has no NaN/inf handling;
-   training as published on this download diverges — the first corrupted batch
-   overflows fp16 autocast and permanently poisons BatchNorm running statistics
-   (GradScaler step-skipping does not protect BN). The authors' training curves
-   show normal convergence, so their local data evidently differed from the
-   Kaggle upload. Window masks: `results/nan_windows_mask.npy`,
-   `results/big_windows_mask.npy`.
-
-### Reproducing the corruption masks
-
-The two mask files (9,070 NaN/Inf windows, 9,072 with |amplitude| > 1.5;
-union 9,072, all in dataset files 487–499) are **committed ground truth**
-(gitignore-negated, ~352 KB each). They can only be regenerated from a
-**pristine** Kaggle download: `remote/clean_v2.py` repairs the dataset by
-zeroing the corrupted windows in place, after which the corruption evidence
-is gone and a rescan returns all-False. `generate_corruption_masks.py`
-re-derives them (chunked scan, criteria: any non-finite value OR
-max |finite| > 1.5 per 540×20 window) and refuses to write all-False masks,
-which indicate a cleaned copy. Verified 2026-06-11: a regeneration from the
-local pristine download is bit-identical to the committed masks.
-
-### Retraining result (MEASURED, 2026-06-10): claims APPROXIMATELY REPRODUCED
-
-Since the shipped checkpoint is unusable, measurement (a) fell back to retraining
-with upstream code + defaults (seed 42, batch 64, early-stopped at epoch 41 of 50,
-best epoch 36, ~75 s/epoch) on ruvultra (RTX 5080). Deviations, all forced and
-documented: one-line fix for defect (1); torch 2.x+cu128 instead of pinned 2.3.1
-(Blackwell sm_120 unsupported); the 9,072 corrupted windows (defect 5) zeroed
-entirely — without this the published pipeline produces NaN from epoch 1 (observed).
-Scripts mirrored in `remote/`; raw metrics in `results/eval_retrained.json`.
-
-| Metric | Published | Retrained (full test, 54,000) | Retrained (corruption-free, 52,560) |
-|---|---|---|---|
-| PCK@20 | 97.25% | **96.09%** | **96.61%** |
-| PCK@30 | 98.63% | 97.89% | 98.23% |
-| PCK@40 | 99.16% | 98.58% | 98.79% |
-| PCK@50 | 99.48% | 98.99% | 99.11% |
-| MPJPE | 0.007 | 0.0098 | 0.0094 |
-
-Within ~0.6–1.2 PCK points of every published figure (single run, corrupted train
-windows zeroed, different torch/GPU). **Verdict: the accuracy claims are credible
-and approximately reproducible — but only after repairing the released dataset and
-code.** Val best: PCK@20 96.99%, MPJPE 0.0086 (epoch 36).
-
-One more defect found during the run:
-
-6. `train.py` calls `plot_training_history`, which is not defined anywhere — the
-   built-in post-training test evaluation is unreachable as published (crashes
-   with NameError after training completes).
-
-## ADR-152 §2.2 citation rule
-
-Evidence grade for the WiFlow-STD accuracy claims after measurement (a):
-**MEASURED-EQUIVALENT (96.1–96.6% PCK@20 reproduced by retraining; shipped
-checkpoint REFUTED; dataset/code require repairs)**. RuView docs may cite
-"~96% PCK@20 (our reproduction)" — still **not comparable** to our 17-keypoint
-ESP32 numbers (different hardware, 5 subjects, in-domain random split,
-15 keypoints).
-
-## Edge optimization (measured)
-
-ADR-152 "optimize beyond SOTA" track, 2026-06-10, this Windows box (Windows 11,
-16 torch threads, torch 2.12.0+cpu, onnxruntime 1.26.0). Subject: the retrained
-checkpoint `results/retrained_best_pose_model.pth` (2,225,042 fp32 params).
-Scripts: `quantize_bench.py`, `onnx_bench.py`, `eval_ort_accuracy.py`.
-Raw numbers: `results/edge_optimization.json`.
-
-Accuracy is on a **10,000-window seed-42 random subset** of the corruption-free
-test split (same seed-42 file-level 70/15/15 split as `eval_repro.py`; 54,000
-test windows, 1,440 corrupted excluded via `results/nan_windows_mask.npy` |
-`results/big_windows_mask.npy`, leaving 52,560; subset drawn with
-`np.random.default_rng(42)`). The fp32 subset PCK@20 (96.68%) matches the full
-clean-test figure (96.61%), so the subset is representative.
-
-Latency is CPU ms/window, median of repeated runs, 3 interleaved repetitions
-per variant (medians below; run-to-run spread on this box is large, roughly
-±20-40% at batch 1 — reps are in the JSON).
-
-| Variant | Disk size | Batch 1 (ms/win) | Batch 64 (ms/win) | PCK@20 | PCK@50 | MPJPE |
-|---|---|---|---|---|---|---|
-| torch fp32 (baseline) | 9.07 MB | 11.0 | 2.27 | 96.68% | 99.15% | 0.00936 |
-| torch fp16 (`.half()`) | **4.58 MB** | 24.3 | 2.42 | 96.68% | 99.15% | 0.00946 |
-| torch int8 dynamic | 9.07 MB (unchanged) | 15.6 | 2.06 | 96.68% (identical) | 99.15% | 0.00936 |
-| ONNX fp32 (onnxruntime) | 8.97 MB | **3.2** | **2.0** | 96.68% | 99.15% | 0.00936 |
-| ONNX int8 (ORT dynamic, supplementary) | **2.44 MB** | 6.5 | 5.8 | 96.52% | 99.15% | 0.01108 |
-
-Findings:
-
-- **torch dynamic INT8 quantizes nothing on this model.** The architecture has
-  **zero `nn.Linear` layers** — it is entirely Conv1d (21) + Conv2d (22) +
-  BatchNorm. `torch.ao.quantization.quantize_dynamic` (requested over
-  `{Linear, Conv1d, Conv2d}`) converted **0 modules / 0.0% of params**: dynamic
-  quantization only has kernels for Linear/RNN-family modules and silently
-  skips convolutions. The "int8" model is bit-identical to fp32 (same outputs,
-  same 9.07 MB). Conv quantization would require static (PTQ) quantization
-  with calibration — out of scope here; the ORT dynamic path below is the
-  honest int8 datapoint.
-- **fp16 halves size for free accuracy-wise** (PCK@20 −0.005 pt, MPJPE
-  +0.0001) but is *slower* on CPU at batch 1 (~2.2×) — torch CPU fp16 conv
-  kernels are emulated. fp16 is a storage/transport format here, not a CPU
-  runtime win.
-- **ONNX Runtime is the real batch-1 latency win: ~3.4× faster than torch**
-  (3.2 vs 11.0 ms/window) at identical accuracy (parity 2.4e-7).
-
-### Verdict on the paper's "~2.2 MB int8" claim
-
-**Plausible but not free, and unreachable by the obvious PyTorch route.**
-2,225,042 params × 1 byte ≈ 2.2 MB assumes *every* parameter quantizes.
-PyTorch dynamic quantization — the one-liner most readers would reach for —
-yields **9.07 MB (0% quantized)** because the model has no Linear layers.
-ONNX Runtime dynamic quantization, which does have int8 conv weight support,
-gets **2.44 MB** (close to the claim; the overhead is BatchNorm params/buffers
-and quantization scales kept in fp32) at a measurable accuracy cost:
-PCK@20 96.68 → 96.52% (−0.16 pt) and MPJPE 0.00936 → 0.01108 (+18%), and
-~2× slower inference than ONNX fp32 (ConvInteger kernels). The paper does not
-state a method or an int8 accuracy; treat "2.2 MB" as a weight-arithmetic
-estimate, achievable in practice only via conv-capable quantization toolchains
-and with a small accuracy penalty.
-
-### ONNX export status
-
-**Works.** Exported via the TorchScript exporter (`dynamo=False`), opset 17,
-with a dynamic batch axis — `results/retrained_fp32_dynamic.onnx` (8.97 MB),
-verified to run at batch 1/2/64. The axial attention's
-`view(N*W, C, H)` reshape traced correctly (sizes recorded as graph ops, not
-baked constants). The dynamo exporter also captures the graph but crashed on
-this box writing a ✅ to a cp1252 console (cosmetic Windows encoding issue, not
-a model blocker). Parity vs torch on the stored fixture
-(`results/parity_fixture.npz`, batch 2, seed 42): **max abs diff 2.4e-7 —
-PASS** (< 1e-4). ORT-quantized int8 model: `results/retrained_int8_ort_dynamic.onnx`.
-
-### Static PTQ (calibrated) — follow-up
-
-Follow-up to the dynamic-int8 row above (2026-06-10, same box, onnxruntime
-1.26.0): ONNX Runtime **static** post-training quantization
-(`quantize_static`, QDQ format, per-channel int8 weights + int8 activations)
-of the same fp32 export, calibrated on **corruption-free TRAINING-split
-windows only** (seed-42 file-level split, same masks; 1,000 windows for
-MinMax, 512 for the histogram calibrators; never test windows). Scopes:
-"conv-only" (`op_types_to_quantize=["Conv"]` — the attention path exports as
-Einsum/Softmax, which ORT never quantizes anyway, so "all-ops" additionally
-quantizes the elementwise Mul/Sigmoid/Add/AveragePool glue). Accuracy on the
-identical 10k-window seed-42 corruption-free test subset; latency median of
-3 interleaved reps (fp32/dynamic re-benched in-session as references).
-Script: `static_ptq_bench.py`; raw: `results/edge_optimization.json`
-(`onnx_static_ptq`).
-
-| Variant | Disk size | Batch 1 (ms/win) | Batch 64 (ms/win) | PCK@20 | PCK@50 | MPJPE |
-|---|---|---|---|---|---|---|
-| ONNX fp32 (reference) | 8.97 MB | 2.5 | 1.9 | 96.68% | 99.15% | 0.00936 |
-| ORT dynamic int8 (baseline) | **2.44 MB** | 5.7 | 4.6 | 96.52% | 99.15% | 0.01108 |
-| static QDQ **Percentile(99.99) conv-only** | 2.53 MB | 5.3 | 4.7 | 96.61% | 99.16% | **0.01031** |
-| static QDQ MinMax conv-only | 2.53 MB | 5.2 | 3.3 | **96.63%** | 99.19% | 0.01084 |
-| static QDQ Entropy conv-only | 2.53 MB | 5.2 | 3.1 | 96.60% | 99.19% | 0.01078 |
-| static QDQ MinMax all-ops | 2.60 MB | 6.5 | 3.9 | 95.45% | 99.14% | 0.01486 |
-| static QDQ Entropy all-ops | 2.60 MB | 5.7 | 4.1 | 95.30% | 99.13% | 0.01510 |
-| static QDQ Percentile all-ops | 2.60 MB | 5.3 | 4.3 | 96.39% | 99.17% | 0.01218 |
-
-**Verdict: static PTQ (conv-only) is the new best int8 point on accuracy —
-but only modestly, and it does not fix int8's latency penalty.**
-
-- **Accuracy: beats dynamic.** All three conv-only calibrations land at
-  PCK@20 96.60–96.63% (vs dynamic 96.52%, fp32 96.68% — recovers ~⅔ of the
-  dynamic gap) and MPJPE 0.0103–0.0108 (vs dynamic 0.01108). Best MPJPE:
-  Percentile conv-only, +10% over fp32 instead of dynamic's +18%.
-- **Size: slightly worse.** 2.53 MB vs 2.44 MB (+3.6%) — QDQ nodes and
-  per-channel scales cost a little; BatchNorm stays fp32 in both (the 12 BNs
-  follow Slice/Einsum/Reshape, never Conv, so they cannot be folded).
-- **Latency: a wash vs dynamic, still ~2× slower than ONNX fp32 at batch 1.**
-  Batch-1 medians 5.2–5.3 vs dynamic 5.7 ms/win in-session — within this
-  box's ±20–40% noise. Batch 64 leans static (3.1–3.3 for MinMax/Entropy
-  conv-only vs 4.6), same caveat.
-- **All-ops QDQ is strictly worse**: up to −1.4 pt PCK@20 and +60% MPJPE for
-  zero size/latency benefit — int8 activations through the elementwise glue
-  around the attention blocks is where the damage is. Conv-only is the right
-  scope.
-- Negative result worth recording: **Entropy calibration is a no-op here** —
-  on an identical calibration set it selects full-range thresholds
-  bit-identical to MinMax (all 247 scales equal; verified on a 64-window
-  smoke set). Also, ORT 1.26's `CalibMaxIntermediateOutputs` raises a
-  spurious "No data is collected" when the batch count divides the chunk
-  size (worked around in the script).
-
-Deployment guidance: need speed → ONNX fp32 (3.2 ms b1). Need int8 weights
-for size → static QDQ conv-only (Percentile or MinMax,
-`results/retrained_int8_static_percentile_conv.onnx`), which strictly
-dominates dynamic int8 on accuracy at ~equal latency and +0.09 MB.
-
-## Efficiency sweep (MEASURED, overnight 2026-06-10/11)
-
-ADR-152 beyond-SOTA track: compact purpose-built variants of the WiFlow-STD
-architecture, trained from scratch on the same cleaned dataset, identical
-seed-42 file-level split, loss and protocol as the measurement-(a) reference
-(fp32, batch 64, ≤50 epochs, patience 5; RTX 5080, ~22–29 min/variant).
-Variant transforms are pure channel/group/stride scalings of an
-architecture-exact parameterized model (validated: reproduces 2,225,042 params
-at the reference config). Scripts: `remote/sweep/`; raw:
-`results/efficiency_sweep.jsonl`; checkpoints `results/{half,quarter,tiny}_best.pth`
-(gitignored).
-
-| Variant | Params | vs 2.23M | Clean-test PCK@20 | PCK@50 | MPJPE | Best epoch |
-|---|---|---|---|---|---|---|
-| full (reference, meas. a) | 2,225,042 | 1× | 96.61% | 99.11% | 0.0094 | 36 |
-| **half** | **843,834** | **0.38×** | **96.62%** | **99.47%** | **0.00898** | 23 |
-| quarter | 338,600 | 0.15× | 96.05% | 99.43% | 0.00928 | 50 |
-| tiny | 56,290 | 0.025× | 94.11% | 99.36% | 0.0125 | 47 |
-
-Findings:
-
-- **The half model (843k params) strictly dominates the full reference** on
-  this dataset — equal PCK@20, better PCK@50 and MPJPE, converges in fewer
-  epochs. The published 2.23M architecture is over-parameterized for its own
-  benchmark.
-- **tiny (56k params, 1/39.5) holds 94.11% PCK@20** — a ~220 KB fp32 /
-  ~60 KB int8-class model in reach of severely constrained edge targets,
-  at −2.5 pt from the full reference.
-- Caveats: in-domain (5-subject random-file split) like every number on this
-  dataset; single run per variant; corruption-free test subset (52,560).
-  Cross-domain behavior of compact variants is untested — ADR-150's evidence
-  says capacity *hurts* cross-subject, so the compact end may generalize no
-  worse, but that is a hypothesis, not a measurement.
-
-### Compact-variant edge artifacts (MEASURED, 2026-06-11)
-
-Edge pipeline for the **tiny** checkpoint (56,290 params), same machinery and
-protocol as the full-model edge rows above (this Windows box, torch
-2.12.0+cpu, onnxruntime 1.26.0; dynamic-batch opset-17 TorchScript export;
-static QDQ **Percentile(99.99) conv-only** int8 calibrated on **512**
-corruption-free TRAIN-split windows; accuracy on the identical 10k-window
-seed-42 clean test subset; latency = median ms/window over 3 interleaved
-reps, with the full-model fp32/int8 sessions interleaved as same-session
-references). Script: `tiny_edge_bench.py`; raw:
-`results/edge_optimization.json` (`tiny_variant`). Torch-vs-ORT parity on the
-stored fixture input: **max abs diff 1.5e-7 — PASS** (< 1e-4). The tiny fp32
-subset PCK@20 (94.11%) matches the full clean-test sweep figure (94.11%)
-exactly, so the subset remains representative.
-
-Two forced deviations, both recorded in the JSON:
-
-1. **Adaptive-pool export rewrite.** tiny's derived stride schedule
-   `[2,1,1,1]` leaves feature width 16, and the TorchScript exporter rejects
-   `AdaptiveAvgPool2d((15,1))` when 15 is not a factor of the input height
-   (the full model never hit this — its width was exactly 15). Since the
-   pool over a fixed-size map is a fixed linear operator, the export wrapper
-   replaces it with `mean(-1)` (W axis, a factor) + a constant averaging
-   matmul using PyTorch's exact bin rule; the parity check (vs the original
-   torch model with the real pool) proves exactness.
-2. **Calibration count 512, not "~500"**: ORT 1.26's histogram collector
-   `np.asarray()`'s the per-batch maxima, so the calibration count must be a
-   multiple of the 64-window calibration batch or the ragged last batch
-   crashes it (the earlier static-PTQ run dodged this by using exactly 512).
-
-| Variant | Disk size | Batch 1 (ms/win) | Batch 64 (ms/win) | PCK@20 | PCK@50 | MPJPE |
-|---|---|---|---|---|---|---|
-| full ONNX fp32 (same-session ref) | 8.97 MB | 2.27 | 1.42 | 96.68% | 99.15% | 0.00936 |
-| full static QDQ Percentile conv-only (same-session ref) | 2.53 MB | 5.53 | 3.82 | 96.61% | 99.16% | 0.01031 |
-| **tiny ONNX fp32** | **0.295 MB** | **0.66** | **0.24** | **94.11%** | 99.37% | 0.01253 |
-| tiny static QDQ Percentile conv-only | 0.248 MB | 0.85 | 1.03 | 92.68% | 99.33% | 0.01491 |
-
-(tiny torch `.pth` checkpoint for reference: 0.34 MB on disk; 56,290 fp32
-params ≈ 225 KB of weights.)
-
-Findings:
-
-- **The smallest deployable WiFlow-class model is the tiny ONNX fp32
-  artifact: ~295 KB on disk, 0.66 ms/window batch-1 CPU (~1,500 windows/s),
-  94.1% PCK@20** — 30× smaller and ~3.4× faster (in-session) than the full
-  ONNX fp32 model for −2.6 pt PCK@20.
-- **int8 is a bad trade at this scale.** Static QDQ conv-only — the recipe
-  that cost the full model only 0.07 pt — costs tiny **−1.43 pt** PCK@20
-  (94.11 → 92.68%) and +19% MPJPE, saves only 47 KB (−16%; QDQ scales and
-  the fp32 BN/attention glue are proportionally larger in a small graph),
-  and is *slower* than tiny fp32 (0.85 vs 0.66 ms b1; 1.03 vs 0.24 ms b64 —
-  QDQ kernel overhead dominates when the convs are this small). A 56k-param
-  model has little redundancy left to absorb weight+activation rounding.
-- Deployment guidance, compact edition: ship tiny as **ONNX fp32** — at
-  295 KB the int8 size saving solves no real constraint and costs accuracy
-  and speed. If ~250 KB vs ~295 KB ever matters, weight-only quantization
-  would be the thing to try next, not QDQ.
-
-## Measurement (b): BLOCKED-ON-DATA (attempted 2026-06-10)
-
-The fine-tune-on-ESP32 measurement stopped at dataset characterization, per the
-pre-registered stop rule (<2,000 paired windows). Findings (MEASURED):
-
-- **Only one trainable paired dataset exists**: `ruvultra:~/work/cog-pose-train/paired.jsonl`
-  — 1,077 windows (one subject, one room, one 29.9-min session, single node;
-  CSI [56, 20]; 17 COCO keypoints, MediaPipe confidence mean 0.44 — only 264
-  windows pass ADR-079's own conf>0.5 training filter). Prior measured attempts
-  on this exact set: 0–3% torso-PCK@20 (temporal splits, three independent
-  pipelines). Fine-tuning a 2.23M-param model on ~860 train windows would
-  measure memorization, not transfer.
-- **The April session behind the old "92.9% PCK@20" claim is lost** (345
-  samples, 35 subcarriers; raw CSI gone from ruvzen/ruvultra/cognitum-v0; only
-  a 69-sample predictions+GT holdout survives at `models/wiflow-real/eval-holdout.jsonl`).
-- **Forensic recheck of that holdout RETRACTS the 92.9% figure**: the trainer's
-  `pck()` used an absolute 0.2 image-unit threshold (not torso-normalized) and
-  the model output a **constant pose** (pred std 0.0000 across 69 near-static
-  frames; a mean predictor scores 100% under the same protocol). The
-  torso-normalized PCK@20 on the same holdout is 19.1%. This corroborates the
-  2026-05-11 audit retraction (CHANGELOG, PR #535); stale doc citations were
-  removed 2026-06-10 (user-guide, readme-details, ADR-152 §2.1.3). The §2.2
-  no-citation rule now applies to ADR-079 accuracy claims.
-
-Unblock criteria: a paired collection session of ≥2k windows (≈35+ min at the
-observed stride; multi-pose, conf>0.5, ideally with the §2.1.3 two-checkerboard
-calibration), plus a re-baselined our-pipeline number under torso-PCK@20 on the
-same split. WiFlow-STD assets stand ready on ruvultra (`~/wiflow-std-bench/`).
-Also worth investigating: ADR-079's protocol predicts ~9k windows per 30 min;
-the May session under-delivered ~8× (aligner drop rate?).
-
-## Measurement (b) (MEASURED 2026-06-10/11)
-
-The data baseline unblocked: the 2026-06-10 22:10–22:40 collection session produced
-**2,046 paired windows** (`ruvultra:~/wiflow-std-bench/paired-20260610.jsonl`; ONE
-subject, ONE room, ONE ESP32 node, varied poses: walk/raise/squat/kick/wave/turn/
-jump/sit; aligner `scripts/align-ground-truth.js`, non-overlapping 20-frame windows
-~0.42 s; 17 COCO keypoints in normalized [0,1] camera coords; MediaPipe confidence
-mean 0.802, min 0.692 — all windows pass the conf>0.5 filter). The −4 h timestamp
-bug and the empty-frame confidence-dilution aligner findings are recorded
-separately; results only here. Trained on ruvultra (RTX 5080, torch 2.11+cu128,
-fp32, batch 32, GPU shared with the efficiency sweep). Scripts mirrored in
-`remote/measb/`; raw metrics + full training curves in `results/measurement_b.json`.
-
-### Two new aligner/dataset findings (forced deviations, MEASURED)
-
-1. **`csi_shape` is heterogeneous, not [70, 20]**: 1,347× [70,20], 284× [134,20],
-   243× [26,20], 130× [12,20], 42× [20,20]. The ESP32 stream emits mixed frame
-   types and `extractCsiMatrix` stamps each window's subcarrier count from
-   `window[0].subcarriers`, zero-padding/truncating the other frames — even
-   native-70 windows contain ~20.4% internally zero-padded short frames
-   (subcarriers 40–69 all-zero). Handling: the primary suite ("all 2,046")
-   linearly resamples every frame's subcarrier axis to 70 bins (identity for
-   native-70 frames) so the pre-registered n and split sizes hold; a secondary
-   suite restricts to the 1,347 native [70,20] windows as a homogeneity check.
-2. **Aligner layout bug**: `extractCsiMatrix` fills `matrix[f * nSc + s]`
-   (frame-major) but declares `shape: [nSc, nFrames]` — the stored shape label is
-   transposed relative to the data. Confirmed by coherent per-frame zero-tails;
-   corrected on load (`reshape(nFrames, nSc).T`).
-
-### Protocol (pre-registered, followed)
-
-Temporal split, no shuffling across time: first 70% train (1,432), next 15% val
-(307), last 15% test (307); seed 42 elsewhere. Model: learned 1×1 Conv1d 70→540
-adapter prepended to the upstream WiFlow-STD trunk; K=17 via the parameter-free
-adaptive pool (`AdaptiveAvgPool2d((17,1))` — pretrained weights load strict for
-any K). CSI normalized by the TRAIN-split p99 amplitude (129.7 all / 130.9
-native-70), clipped to [0,1]. Three runs, ≤60 epochs, early-stop patience 8 on
-val MPJPE, AdamW (adapter lr 1e-4; pretrained trunk lr 1e-5, 10× lower; scratch
-all 1e-4), fp32. Pretrained init = the measurement-(a) **retrained** checkpoint
-(`upstream/test/best_pose_model.pth`, ~96% PCK@20 on WiFlow data; the
-`att.`/`final_conv.` key remap from `eval_repro.py` applied defensively — a no-op,
-that checkpoint already uses post-rename keys). Frozen-trunk run: trunk
-`requires_grad=False` **and** held in `.eval()` so BatchNorm running stats cannot
-drift — a pure transfer probe; only the 70→540 adapter (38,340 params) trains.
-
-PCK is torso-normalized with **torso = ‖l_shoulder(5) − l_hip(11)‖** (upstream
-`calculate_pck` math — per-frame norm clamped at 0.01, mean over keypoints ×
-frames — but upstream's `NECK_IDX/PELVIS_IDX = 2, 12` is a 15-keypoint
-convention; on 17-kp COCO those indices are right_eye/right_hip, so the indices
-were replaced, not the math). MPJPE is in normalized image units (not meters).
-
-### Results — primary suite, all 2,046 windows (test = last 307)
-
-| Run | PCK@10 | PCK@20 | PCK@30 | PCK@40 | PCK@50 | MPJPE | pred std | best ep |
-|---|---|---|---|---|---|---|---|---|
-| **mean-pose baseline** (honesty bar) | **73.1%** | **95.9%** | **98.7%** | 99.3% | 99.3% | **0.0148** | 0 (by constr.) | — |
-| (i) pretrained-init, full fine-tune | 26.0% | 65.0% | 88.0% | 96.4% | 98.9% | 0.0313 | 0.0113 | 58/60 |
-| (ii) scratch | 0.0% | 0.0% | 0.0% | 0.0% | 0.0% | 0.2554 | 0.0002 | 4 (stop @13) |
-| (iii) frozen-trunk (adapter only) | 0.0% | 0.0% | 0.2% | 3.2% | 14.4% | 0.1260 | 0.0073 | 59/60 |
-
-Secondary suite (native [70,20] windows only, n=1,347, test=202) reproduces the
-same ordering: mean-baseline 96.0% / pretrained 67.1% / scratch 0.0% /
-frozen-trunk 0.0% PCK@20 (MPJPE 0.0153 / 0.0318 / 0.2236 / 0.1343) — the
-subcarrier-resampling choice does not change any conclusion.
-
-### Interpretation
-
-- **Did pretraining-transfer happen? Partially — as optimization transfer, not
-  feature transfer, and not past the honesty bar.**
-  - *Pretrained vs scratch*: dramatic (65.0% vs 0.0% PCK@20). The pretrained init
-    is the only configuration that trains at all under the pre-registered budget.
-  - *Frozen-trunk*: near-zero (0.0% PCK@20, 14.4% @50). WiFlow-STD's frozen
-    features do **not** transfer to our ESP32 domain through a linear subcarrier
-    adapter — the pretrained benefit is a well-conditioned initialization (incl.
-    calibrated BN/output scales), not reusable CSI→pose features.
-  - *Everything vs mean-pose baseline*: **no run beats it.** A constant
-    train-mean pose scores 95.9% torso-PCK@20 / 0.0148 MPJPE on this test split,
-    because a single subject in one camera frame barely moves in normalized
-    coordinates. The fine-tuned model is a real, non-constant model
-    (pred std 0.0113 > 0 — passes the constant-pose detector that retracted the
-    old 92.9% figure) but its deviations from the mean hurt: it fits train-period
-    temporal dynamics that do not generalize across the temporal split.
-- **Verdict for ADR-152 §2.2(b): fine-tuning WiFlow-STD on this dataset does not
-  demonstrate CSI→pose signal beyond the mean pose.** Until a model beats the
-  mean-pose baseline on a temporal split, no PCK number from this line may be
-  cited as pose-estimation capability.
-
-### Caveats (honest, pre-registered)
-
-- Single subject, single room, single session (30 min), single ESP32 node —
-  in-domain temporal split only; nothing here speaks to cross-room or
-  cross-subject generalization.
-- 2k windows vs the 360k-window WiFlow-STD corpus — **NOT comparable** to the
-  ~96% in-domain measurement-(a) number, and the published 97.25% even less so.
-- The scratch run's total collapse (it cannot even reach the mean pose; its
-  output BatchNorm/SiLU head must learn output scale from random init at lr 1e-4)
-  is an optimization outcome under the fixed budget, not proof the architecture
-  cannot learn from scratch — the pretrained-vs-scratch gap partially reflects
-  this conditioning advantage.
-- Mixed-subcarrier frames (finding 1) mean even the "clean" windows carry ~20%
-  zero-padded frames; collection-side frame-type filtering should precede the
-  next session.
-- Mean-baseline PCK is inflated by low pose variance relative to torso size
-  (~0.2–0.3 image units); PCK@10 (73.1%) shows the same ceiling effect at a
-  stricter threshold — the bar is the bar, but a livelier dataset would lower it.
-
-## Pending
-
-- (b) fine-tune on our ESP32 17-keypoint eval set — **MEASURED 2026-06-10/11**,
-  see above: no run beats the mean-pose baseline; pretraining transfers as
-  optimization aid only.
-- (c) our internal WiFlow on their dataset (15-keypoint subset mapping) — also
-  affected: there is currently no validated internal pose model to compare
-  (the 92.9% artifact is retracted; the MM-Fi SOTA models in ADR-150 §3 are a
-  different input domain).

benchmarks/wiflow-std/_bench_common.py

@@ -1,200 +0,0 @@
-"""Shared infrastructure for the LOCAL wiflow-std benchmark scripts (ADR-152).
-
-This module is the single canonical implementation of the helpers that were
-previously copy-pasted across eval_repro.py / quantize_bench.py /
-onnx_bench.py / eval_ort_accuracy.py / export_to_safetensors.py:
-
-  - ``import_upstream()``  -- sys.path setup + the models-package stub that
-    works around the upstream import bug, plus the >1GB np.load mmap patch
-  - ``install_np_load_mmap_patch()`` -- the mmap patch on its own
-  - ``remap_legacy_keys()`` / ``load_remapped_state()`` -- checkpoint
-    key remap for the pre-rename released checkpoint
-  - ``load_wiflow_model()`` -- WiFlowPoseModel from a checkpoint, eval mode
-  - ``set_seed()`` -- mirrors upstream run.py seeding exactly
-  - ``evaluate()`` -- THE canonical batch-weighted PCK/MPJPE evaluation loop
-    (thresholds 0.1-0.5, upstream utils/metrics.py math); accepts either a
-    torch nn.Module or an onnxruntime InferenceSession
-
-The scripts under remote/ deploy to ruvultra as standalone single files and
-therefore intentionally inline private copies of these helpers; when editing
-them, treat this module as the reference implementation and keep the copies
-in sync.
-"""
-
-import os
-import random
-import sys
-import time
-import types
-
-import numpy as np
-import torch
-
-HERE = os.path.dirname(os.path.abspath(__file__))
-UPSTREAM = os.path.join(HERE, "upstream")
-RESULTS = os.path.join(HERE, "results")
-
-DEFAULT_THRESHOLDS = (0.1, 0.2, 0.3, 0.4, 0.5)
-
-# ---------------------------------------------------------------------------
-# >1GB np.load mmap patch
-# ---------------------------------------------------------------------------
-
-# csi_windows.npy is ~13 GB; mmap large arrays instead of loading into RAM
-# (loading it eagerly needs ~15 GB).
-_np_load = np.load
-
-
-def _np_load_mmap(path, *a, **kw):
-    if (isinstance(path, str) and path.endswith(".npy")
-            and os.path.getsize(path) > 1 << 30 and "mmap_mode" not in kw):
-        kw["mmap_mode"] = "r"
-    return _np_load(path, *a, **kw)
-
-
-def install_np_load_mmap_patch():
-    """Globally patch np.load so .npy files >1GB are mmap'd read-only.
-
-    Idempotent. Patching the numpy module attribute is equivalent to the
-    historical ``upstream_dataset.np.load = _np_load_mmap`` (dataset.np IS
-    the numpy module), but works regardless of import order.
-    """
-    np.load = _np_load_mmap
-
-
-# ---------------------------------------------------------------------------
-# upstream import shim
-# ---------------------------------------------------------------------------
-
-def import_upstream(mmap_patch=True):
-    """Make the upstream WiFlow-STD clone importable; returns its path.
-
-    Upstream bug: models/__init__.py imports TemporalConvNet, which
-    models/tcn.py does not define -- the package fails to import as
-    published. Register a stub package so the broken __init__ never
-    executes; submodules (models.pose_model etc.) still resolve via
-    __path__. Idempotent.
-    """
-    if UPSTREAM not in sys.path:
-        sys.path.insert(0, UPSTREAM)
-    if "models" not in sys.modules:
-        _models_pkg = types.ModuleType("models")
-        _models_pkg.__path__ = [os.path.join(UPSTREAM, "models")]
-        sys.modules["models"] = _models_pkg
-    if mmap_patch:
-        install_np_load_mmap_patch()
-    return UPSTREAM
-
-
-# ---------------------------------------------------------------------------
-# checkpoint loading
-# ---------------------------------------------------------------------------
-
-# The released checkpoint predates the published code: modules were renamed
-# att -> attention, final_conv -> decoder (param count identical, 2.23M).
-LEGACY_RENAMES = {"att.": "attention.", "final_conv.": "decoder."}
-
-
-def remap_legacy_keys(state):
-    """Remap pre-rename state_dict keys; no-op for already-new-style keys."""
-    return {next((new + k[len(old):] for old, new in LEGACY_RENAMES.items()
-                  if k.startswith(old)), k): v
-            for k, v in state.items()}
-
-
-def load_remapped_state(path, map_location="cpu"):
-    """torch.load (weights_only) + legacy key remap."""
-    state = torch.load(path, map_location=map_location, weights_only=True)
-    return remap_legacy_keys(state)
-
-
-def load_wiflow_model(checkpoint, map_location="cpu", dropout=0.5):
-    """Full-size WiFlowPoseModel from a checkpoint, strict load, eval mode."""
-    import_upstream()
-    from models.pose_model import WiFlowPoseModel
-    model = WiFlowPoseModel(dropout=dropout)
-    model.load_state_dict(load_remapped_state(checkpoint, map_location),
-                          strict=True)
-    model.eval()
-    return model
-
-
-# ---------------------------------------------------------------------------
-# seeding
-# ---------------------------------------------------------------------------
-
-def set_seed(seed=42):
-    # mirror upstream run.py exactly
-    random.seed(seed)
-    np.random.seed(seed)
-    torch.manual_seed(seed)
-    if torch.cuda.is_available():
-        torch.cuda.manual_seed(seed)
-        torch.cuda.manual_seed_all(seed)
-    torch.backends.cudnn.deterministic = True
-    torch.backends.cudnn.benchmark = False
-
-
-# ---------------------------------------------------------------------------
-# THE canonical evaluation loop
-# ---------------------------------------------------------------------------
-
-def evaluate(model, loader, device=None, dtype=None, label="",
-             thresholds=DEFAULT_THRESHOLDS, progress_every=50):
-    """Batch-weighted PCK/MPJPE over a DataLoader (upstream metrics math).
-
-    ``model`` may be a torch nn.Module (optionally evaluated on ``device``
-    with inputs cast to ``dtype``) or an onnxruntime InferenceSession.
-    Per-threshold PCK values are independent in upstream calculate_pck, so
-    evaluating a superset of thresholds never changes any individual value.
-
-    Returns {"samples", "mpjpe", "pck@10".."pck@50", "wall_seconds"}.
-    """
-    import_upstream()
-    from utils.metrics import calculate_mpjpe, calculate_pck
-
-    is_ort = hasattr(model, "get_inputs")  # onnxruntime InferenceSession
-    if is_ort:
-        inp = model.get_inputs()[0].name
-
-        def forward(bx):
-            return torch.from_numpy(model.run(None, {inp: bx.numpy()})[0])
-    else:
-        model.eval()
-
-        def forward(bx):
-            if device is not None:
-                bx = bx.to(device)
-            if dtype is not None:
-                bx = bx.to(dtype)
-            return model(bx).float()
-
-    thresholds = list(thresholds)
-    totals = {t: 0.0 for t in thresholds}
-    total_mpe, n = 0.0, 0
-    t0 = time.time()
-    with torch.no_grad():
-        for batch_idx, (bx, by) in enumerate(loader):
-            out = forward(bx)
-            if device is not None and not is_ort:
-                by = by.to(device)
-            mpe = calculate_mpjpe(out, by)
-            pck = calculate_pck(out, by, thresholds=thresholds)
-            bs = by.size(0)
-            total_mpe += mpe * bs
-            for t in totals:
-                totals[t] += pck[t] * bs
-            n += bs
-            if batch_idx % progress_every == 0:
-                tag = f"[{label}] " if label else ""
-                pck20 = totals.get(0.2)
-                pck20_str = f"pck20={pck20 / n:.4f} " if pck20 is not None else ""
-                print(f"  {tag}batch {batch_idx}: n={n} {pck20_str}"
-                      f"mpjpe={total_mpe / n:.4f} ({time.time() - t0:.0f}s)",
-                      flush=True)
-    return {
-        "samples": n,
-        "mpjpe": total_mpe / n,
-        **{f"pck@{int(t * 100)}": totals[t] / n for t in thresholds},
-        "wall_seconds": time.time() - t0,
-    }

benchmarks/wiflow-std/eval_ort_accuracy.py

@@ -1,67 +0,0 @@
-"""ADR-152 edge optimization: accuracy of the ONNX fp32 and ORT-dynamic-int8
-models on the same corruption-free 10k test subset used by quantize_bench.py.
-
-The torch dynamic-int8 path quantizes nothing (no nn.Linear in the model), so
-the only real int8 datapoint for the paper's "~2.2 MB int8" claim is the
-onnxruntime dynamically quantized model -- this script measures what that
-quantization costs in PCK/MPJPE.
-
-Usage:
-  .venv/Scripts/python.exe eval_ort_accuracy.py \
-      --data-dir <preprocessed_csi_data> [--subset 10000]
-
-Writes/merges into results/edge_optimization.json under key "onnx_accuracy".
-"""
-
-import argparse
-import json
-import os
-import sys
-
-HERE = os.path.dirname(os.path.abspath(__file__))
-sys.path.insert(0, HERE)
-
-from _bench_common import RESULTS, evaluate  # noqa: E402
-from quantize_bench import build_test_subset  # noqa: E402  (sets up upstream imports)
-
-
-def evaluate_ort(sess, loader, label):
-    """ORT-session evaluation via the canonical _bench_common.evaluate loop."""
-    return evaluate(sess, loader, label=label)
-
-
-def main():
-    import onnxruntime as ort
-    parser = argparse.ArgumentParser()
-    parser.add_argument("--data-dir", default=os.path.join(
-        os.path.expanduser("~"), ".cache", "kagglehub", "datasets", "kaka2434",
-        "wiflow-dataset", "versions", "1", "preprocessed_csi_data"))
-    parser.add_argument("--subset", type=int, default=10000)
-    parser.add_argument("--out", default=os.path.join(RESULTS, "edge_optimization.json"))
-    args = parser.parse_args()
-
-    loader, _n_clean = build_test_subset(args.data_dir, args.subset)
-    results = {}
-    for label, fname in (("onnx_fp32", "retrained_fp32_dynamic.onnx"),
-                         ("onnx_int8_ort_dynamic", "retrained_int8_ort_dynamic.onnx")):
-        path = os.path.join(RESULTS, fname)
-        if not os.path.exists(path):
-            results[label] = {"error": f"{fname} not found; run onnx_bench.py first"}
-            continue
-        sess = ort.InferenceSession(path, providers=["CPUExecutionProvider"])
-        print(f"=== accuracy: {label} ({fname}) ===")
-        results[label] = evaluate_ort(sess, loader, label)
-        print(json.dumps(results[label], indent=2))
-
-    merged = {}
-    if os.path.exists(args.out):
-        with open(args.out) as f:
-            merged = json.load(f)
-    merged["onnx_accuracy"] = results
-    with open(args.out, "w") as f:
-        json.dump(merged, f, indent=2)
-    print(f"wrote {args.out}")
-
-
-if __name__ == "__main__":
-    main()

benchmarks/wiflow-std/eval_repro.py

@@ -1,102 +0,0 @@
-"""ADR-152 §2.2 measurement (a): reproduce WiFlow-STD (DY2434) published test metrics.
-
-Runs the released pretrained checkpoint (upstream/best_pose_model.pth) against the
-released Kaggle dataset (kaka2434/wiflow-dataset) using the upstream code path:
-identical dataset class, identical file-level 70/15/15 split at seed 42, identical
-PCK/MPJPE implementations (utils/metrics.py).
-
-Published claims (README, "Setting 1 random split"):
-  PCK@20 97.25% | PCK@30 98.63% | PCK@40 99.16% | PCK@50 99.48% | MPJPE 0.007 m
-
-Usage:
-  .venv/Scripts/python.exe eval_repro.py --data-dir <dir containing csi_windows.npy>
-"""
-
-import argparse
-import json
-import os
-import sys
-
-import torch
-from torch.utils.data import DataLoader
-
-from _bench_common import (UPSTREAM, evaluate, import_upstream,
-                           load_remapped_state, set_seed)
-
-import_upstream()  # sys.path + models stub + >1GB np.load mmap patch
-
-from dataset import PreprocessedCSIKeypointsDataset, create_preprocessed_train_val_test_loaders  # noqa: E402
-from models.pose_model import WiFlowPoseModel  # noqa: E402
-
-
-def find_data_dir(root):
-    for dirpath, _dirnames, filenames in os.walk(root):
-        if "csi_windows.npy" in filenames:
-            return dirpath
-    return None
-
-
-def main():
-    parser = argparse.ArgumentParser()
-    parser.add_argument("--data-dir", required=True,
-                        help="Directory containing csi_windows.npy (searched recursively)")
-    parser.add_argument("--checkpoint", default=os.path.join(UPSTREAM, "best_pose_model.pth"))
-    parser.add_argument("--batch-size", type=int, default=64)
-    parser.add_argument("--out", default=os.path.join(os.path.dirname(os.path.abspath(__file__)),
-                                                      "results", "repro_a.json"))
-    args = parser.parse_args()
-
-    data_dir = args.data_dir
-    if not os.path.exists(os.path.join(data_dir, "csi_windows.npy")):
-        located = find_data_dir(data_dir)
-        if located is None:
-            sys.exit(f"csi_windows.npy not found under {data_dir}")
-        data_dir = located
-    print(f"data dir: {data_dir}")
-
-    device = torch.device("cuda" if torch.cuda.is_available() else "cpu")
-    print(f"device: {device}, torch {torch.__version__}")
-
-    set_seed(42)
-
-    dataset = PreprocessedCSIKeypointsDataset(
-        data_dir=data_dir, keypoint_scale=1000.0, enable_temporal_clean=True)
-
-    # split must match upstream: file-level shuffle at random_seed=42, 70/15/15
-    _train_loader, _val_loader, test_loader = create_preprocessed_train_val_test_loaders(
-        dataset=dataset, batch_size=args.batch_size, num_workers=0, random_seed=42)
-
-    model = WiFlowPoseModel(dropout=0.5).to(device)
-    # released checkpoint predates the published code: modules were renamed
-    # att -> attention, final_conv -> decoder (param count identical, 2.23M)
-    state = load_remapped_state(args.checkpoint, map_location=device)
-    model.load_state_dict(state, strict=True)
-    n_params = sum(p.numel() for p in model.parameters())
-    print(f"checkpoint: {args.checkpoint} ({n_params/1e6:.2f}M params)")
-
-    # upstream also evaluates with drop_last=True; we report the full test set
-    # (drop_last=False) and the drop_last variant for exact comparability
-    results = {"published": {"pck@20": 0.9725, "pck@30": 0.9863, "pck@40": 0.9916,
-                             "pck@50": 0.9948, "mpjpe": 0.007},
-               "params_millions": n_params / 1e6,
-               "data_dir": data_dir,
-               "device": str(device)}
-
-    print("=== test set (full, drop_last=False) ===")
-    results["test_full"] = evaluate(model, test_loader, device=device)
-    print(json.dumps(results["test_full"], indent=2))
-
-    test_loader_dl = DataLoader(test_loader.dataset, batch_size=args.batch_size,
-                                shuffle=False, drop_last=True)
-    print("=== test set (drop_last=True, as upstream train.py) ===")
-    results["test_drop_last"] = evaluate(model, test_loader_dl, device=device)
-    print(json.dumps(results["test_drop_last"], indent=2))
-
-    os.makedirs(os.path.dirname(args.out), exist_ok=True)
-    with open(args.out, "w") as f:
-        json.dump(results, f, indent=2)
-    print(f"wrote {args.out}")
-
-
-if __name__ == "__main__":
-    main()

benchmarks/wiflow-std/export_to_safetensors.py

@@ -1,174 +0,0 @@
-"""ADR-152 §2.2: export the retrained WiFlow-STD PyTorch checkpoint to
-safetensors with tch-rs (VarStore) variable names, plus a numerical-parity
-fixture for the Rust port.
-
-Outputs (all under results/, gitignored):
-  retrained_wiflow_std.safetensors  -- 248 f32 tensors named exactly as the
-                                       Rust WiFlowStdModel VarStore expects
-                                       (see wiflow_std/model.rs
-                                       `dump_variable_names` for the
-                                       authoritative name dump)
-  parity_fixture.npz                -- deterministic input (seed 42,
-                                       shape (2, 540, 20), uniform [0,1]) and
-                                       the Python model's eval-mode output
-  parity_fixture.json               -- same data as flattened f32 lists, for
-                                       the dependency-free Rust test
-                                       (tests/test_wiflow_std_parity.rs)
-
-PyTorch -> tch key mapping (derived from the VarStore dump, not guessed):
-
-  tcn.network.{i}.conv1_group.weight        -> tcn{i}.conv1_group.weight
-  tcn.network.{i}.bn*_{group,pw}.<leaf>     -> tcn{i}.bn*_{group,pw}.<leaf>
-  tcn.network.{i}.downsample.0.weight       -> tcn{i}.ds_conv.weight
-  tcn.network.{i}.downsample.1.<leaf>       -> tcn{i}.ds_bn.<leaf>
-  up.block.{0,1,4,5,8,9}.<leaf>             -> conv_in.{conv1,bn1,conv2,bn2,conv3,bn3}.<leaf>
-  up.downsample.{0,1}.<leaf>                -> conv_in.{ds_conv,ds_bn}.<leaf>
-  residual_blocks.{i}.block.{...}.<leaf>    -> conv{i}.{conv1..bn3}.<leaf>
-  residual_blocks.{i}.downsample.{0,1}      -> conv{i}.{ds_conv,ds_bn}
-  attention.{width,height}_axis.qkv_transform.weight
-                                            -> attention.{width,height}.qkv.weight
-  attention.{width,height}_axis.bn_*        -> attention.{width,height}.bn_*
-  decoder.{0,1,3,4}.<leaf>                  -> {dec_conv1,dec_bn1,dec_conv2,dec_bn2}.<leaf>
-  *.num_batches_tracked                     -> dropped (tch BatchNorm has no such buffer)
-
-Legacy upstream names (att. -> attention., final_conv. -> decoder.) are
-remapped first, exactly as eval_repro.py does for the released checkpoint.
-
-Usage:
-  .venv/Scripts/python.exe export_to_safetensors.py
-"""
-
-import json
-import os
-import re
-
-import numpy as np
-import torch
-from safetensors.torch import save_file
-
-from _bench_common import RESULTS, import_upstream, remap_legacy_keys
-
-import_upstream()  # sys.path + models stub
-
-from models.pose_model import WiFlowPoseModel  # noqa: E402
-
-CHECKPOINT = os.path.join(RESULTS, "retrained_best_pose_model.pth")
-
-# Sequential index -> tch sub-name inside one ConvBlock1/AsymmetricConvBlock:
-# [Conv2d(0), BN(1), SiLU(2), Dropout2d(3), Conv2d(4), BN(5), SiLU(6),
-#  Dropout2d(7), Conv2d(8), BN(9)]
-_BLOCK_IDX = {"0": "conv1", "1": "bn1", "4": "conv2", "5": "bn2",
-              "8": "conv3", "9": "bn3"}
-_DS_IDX = {"0": "ds_conv", "1": "ds_bn"}
-_DECODER_IDX = {"0": "dec_conv1", "1": "dec_bn1", "3": "dec_conv2",
-                "4": "dec_bn2"}
-
-
-def _conv_block(new_prefix: str, rest: str) -> str:
-    m = re.fullmatch(r"block\.(\d+)\.(.+)", rest)
-    if m:
-        return f"{new_prefix}.{_BLOCK_IDX[m.group(1)]}.{m.group(2)}"
-    m = re.fullmatch(r"downsample\.(\d+)\.(.+)", rest)
-    if m:
-        return f"{new_prefix}.{_DS_IDX[m.group(1)]}.{m.group(2)}"
-    raise KeyError(f"unmapped conv-block key: {new_prefix} / {rest}")
-
-
-def map_key(key: str) -> str:
-    """Map one PyTorch state_dict key to the tch VarStore name."""
-    m = re.fullmatch(r"tcn\.network\.(\d+)\.(.+)", key)
-    if m:
-        i, rest = m.groups()
-        rest = (rest.replace("downsample.0.", "ds_conv.")
-                    .replace("downsample.1.", "ds_bn."))
-        return f"tcn{i}.{rest}"
-
-    m = re.fullmatch(r"up\.(.+)", key)
-    if m:
-        return _conv_block("conv_in", m.group(1))
-
-    m = re.fullmatch(r"residual_blocks\.(\d+)\.(.+)", key)
-    if m:
-        return _conv_block(f"conv{m.group(1)}", m.group(2))
-
-    m = re.fullmatch(r"attention\.(width|height)_axis\.(.+)", key)
-    if m:
-        axis, rest = m.groups()
-        rest = rest.replace("qkv_transform.", "qkv.")
-        return f"attention.{axis}.{rest}"
-
-    m = re.fullmatch(r"decoder\.(\d+)\.(.+)", key)
-    if m:
-        return f"{_DECODER_IDX[m.group(1)]}.{m.group(2)}"
-
-    raise KeyError(f"unmapped checkpoint key: {key}")
-
-
-def main():
-    state = torch.load(CHECKPOINT, map_location="cpu", weights_only=True)
-    if not isinstance(state, dict) or "tcn.network.0.conv1_group.weight" not in {
-        k for k in state
-    } | {k.replace("att.", "attention.") for k in state}:
-        # tolerate trainer wrappers like {"model_state_dict": ...}
-        for wrapper in ("model_state_dict", "state_dict", "model"):
-            if isinstance(state, dict) and wrapper in state:
-                state = state[wrapper]
-                break
-
-    # Legacy upstream names predate the published code (_bench_common).
-    state = remap_legacy_keys(state)
-
-    mapped = {}
-    dropped = 0
-    for k, v in state.items():
-        if k.endswith("num_batches_tracked"):
-            dropped += 1
-            continue
-        tch_key = map_key(k)
-        if tch_key in mapped:
-            raise KeyError(f"duplicate mapped key: {k} -> {tch_key}")
-        mapped[tch_key] = v.detach().to(torch.float32).contiguous()
-
-    n_params = sum(v.numel() for k, v in mapped.items()
-                   if "running_" not in k)
-    print(f"checkpoint tensors: {len(state)} "
-          f"(dropped {dropped} num_batches_tracked)")
-    print(f"mapped tensors: {len(mapped)}, "
-          f"non-buffer params: {n_params/1e6:.6f}M")
-    assert len(mapped) == 248, f"expected 248 tch variables, got {len(mapped)}"
-    assert n_params == 2_225_042, f"param count mismatch: {n_params}"
-
-    st_path = os.path.join(RESULTS, "retrained_wiflow_std.safetensors")
-    save_file(mapped, st_path)
-    print(f"wrote {st_path}")
-
-    # ---- parity fixture --------------------------------------------------
-    model = WiFlowPoseModel(dropout=0.5)
-    model.load_state_dict(state, strict=True)
-    model.eval()
-
-    gen = torch.Generator().manual_seed(42)
-    x = torch.rand(2, 540, 20, generator=gen, dtype=torch.float32)
-    with torch.no_grad():
-        y = model(x)
-    print(f"fixture input {tuple(x.shape)} -> output {tuple(y.shape)}, "
-          f"output range [{y.min().item():.6f}, {y.max().item():.6f}]")
-
-    np.savez(os.path.join(RESULTS, "parity_fixture.npz"),
-             input=x.numpy(), output=y.numpy())
-    fixture = {
-        "seed": 42,
-        "input_shape": list(x.shape),
-        "input": x.flatten().tolist(),
-        "output_shape": list(y.shape),
-        "output": y.flatten().tolist(),
-    }
-    json_path = os.path.join(RESULTS, "parity_fixture.json")
-    with open(json_path, "w") as f:
-        json.dump(fixture, f)
-    print(f"wrote {os.path.join(RESULTS, 'parity_fixture.npz')}")
-    print(f"wrote {json_path}")
-
-
-if __name__ == "__main__":
-    main()

benchmarks/wiflow-std/generate_corruption_masks.py

@@ -1,148 +0,0 @@
-"""Regenerate results/nan_windows_mask.npy + results/big_windows_mask.npy by
-scanning a PRISTINE kagglehub download of the WiFlow-STD dataset
-(kaka2434/wiflow-dataset v1, csi_windows.npy, 360,000 windows of 540x20).
-
-============================ READ THIS FIRST ===============================
-This script MUST be run against an UNCLEANED copy of the dataset.
-
-remote/clean_v2.py (and its predecessor clean_nan.py) repair the dataset by
-zeroing the corrupted windows IN PLACE, with no backup. A cleaned copy
-contains no non-finite values and no out-of-range amplitudes, so on a cleaned
-copy this scan produces ALL-FALSE masks -- silently wrong ground truth. The
-script errors out loudly in that case (see the sanity check in main()).
-
-That irreversibility is exactly why the two committed mask files under
-results/ (gitignore-negated) are the canonical ground truth: once a download
-has been cleaned, the masks can NEVER be regenerated from it. Only run this
-on a fresh `kagglehub.dataset_download("kaka2434/wiflow-dataset")`.
-============================================================================
-
-Criteria (per window; mirrors the original 2026-06-10 scan and the
-remote/clean_v2.py repair criteria):
-
-  nan mask: any non-finite value (NaN/Inf) anywhere in the 540x20 window
-  big mask: max |finite value| > 1.5 (the data is otherwise [0,1]-normalized;
-            the corrupted files contain garbage up to 3.4e38, float32 max)
-
-Expected result on the pristine Kaggle download (RESULTS.md defect 5):
-  nan: 9,070 True | big: 9,072 True | union: 9,072 -- all windows in dataset
-  files 487-499 (the final 13 files), window indices 350,922-359,999.
-
-Usage:
-  PYTHONUTF8=1 .venv/Scripts/python.exe generate_corruption_masks.py \
-      [--data-dir <dir containing csi_windows.npy>] [--out-dir results]
-"""
-
-import argparse
-import os
-import sys
-
-import numpy as np
-
-HERE = os.path.dirname(os.path.abspath(__file__))
-RESULTS = os.path.join(HERE, "results")
-
-EXPECTED = {"nan": 9070, "big": 9072, "union": 9072,
-            "files": (487, 499), "windows": (350922, 359999)}
-
-
-def scan(csi_path, chunk=4000):
-    """Chunked scan of the (mmap'd) windows array; returns (nan_mask, big_mask)."""
-    csi = np.load(csi_path, mmap_mode="r")
-    n = len(csi)
-    nan_mask = np.zeros(n, dtype=bool)
-    big_mask = np.zeros(n, dtype=bool)
-    for i in range(0, n, chunk):
-        block = np.asarray(csi[i:i + chunk])
-        finite = np.isfinite(block)
-        nan_mask[i:i + chunk] = (~finite).any(axis=(1, 2))
-        big_mask[i:i + chunk] = (
-            np.abs(np.where(finite, block, 0)).max(axis=(1, 2)) > 1.5)
-        if (i // chunk) % 10 == 0:
-            print(f"  scanned {min(i + chunk, n):,}/{n:,} windows "
-                  f"(nan={int(nan_mask.sum()):,} big={int(big_mask.sum()):,})",
-                  flush=True)
-    return nan_mask, big_mask
-
-
-def describe_files(data_dir, mask):
-    """Map marked windows to dataset file indices via window_info.npz."""
-    info = os.path.join(data_dir, "window_info.npz")
-    if not os.path.exists(info):
-        return None
-    w2f = np.load(info)["window_to_file"]
-    return np.unique(w2f[mask])
-
-
-def main():
-    parser = argparse.ArgumentParser(
-        description="Regenerate the corruption masks from a PRISTINE "
-                    "(uncleaned) kagglehub download. See module docstring.")
-    parser.add_argument("--data-dir", default=os.path.join(
-        os.path.expanduser("~"), ".cache", "kagglehub", "datasets", "kaka2434",
-        "wiflow-dataset", "versions", "1", "preprocessed_csi_data"),
-        help="Directory containing csi_windows.npy (PRISTINE copy)")
-    parser.add_argument("--out-dir", default=RESULTS,
-                        help="Where to write the two .npy masks")
-    parser.add_argument("--chunk", type=int, default=4000,
-                        help="Windows per scan chunk (memory/speed tradeoff)")
-    args = parser.parse_args()
-
-    csi_path = os.path.join(args.data_dir, "csi_windows.npy")
-    if not os.path.exists(csi_path):
-        sys.exit(f"csi_windows.npy not found in {args.data_dir}")
-
-    print(f"scanning {csi_path} (chunk={args.chunk}) ...")
-    nan_mask, big_mask = scan(csi_path, args.chunk)
-    union = nan_mask | big_mask
-    print(f"nan: {int(nan_mask.sum()):,} | big: {int(big_mask.sum()):,} | "
-          f"union: {int(union.sum()):,} of {len(union):,} windows")
-
-    # ---- sanity check: an all-False result means a CLEANED copy ------------
-    if not union.any():
-        sys.exit(
-            "ERROR: scan found ZERO corrupted windows.\n"
-            "\n"
-            "The pristine Kaggle download (kaka2434/wiflow-dataset v1) is "
-            "known to contain\n"
-            "9,072 corrupted windows (NaN/Inf + amplitudes up to 3.4e38) in "
-            "dataset files\n"
-            "487-499 (RESULTS.md, reproducibility defect 5). Finding none "
-            "means this copy\n"
-            "has almost certainly already been repaired by remote/clean_v2.py "
-            "(or clean_nan.py),\n"
-            "which zeroes the corrupted windows IN PLACE -- after that the "
-            "corruption evidence\n"
-            "is gone and the masks CANNOT be regenerated from this copy.\n"
-            "\n"
-            "Refusing to overwrite the committed ground-truth masks with "
-            "all-False ones.\n"
-            "Re-download the dataset (kagglehub.dataset_download("
-            "'kaka2434/wiflow-dataset'))\n"
-            "and point --data-dir at the fresh, uncleaned copy.")
-
-    files = describe_files(args.data_dir, union)
-    if files is not None:
-        print(f"marked windows span dataset files {files.min()}-{files.max()}: "
-              f"{files.tolist()}")
-        lo, hi = EXPECTED["files"]
-        if files.min() != lo or files.max() != hi:
-            print(f"WARNING: expected marked files exactly {lo}-{hi} "
-                  f"(the pristine v1 download); got {files.min()}-{files.max()}. "
-                  f"Different dataset version, or a partially cleaned copy?")
-    for name, mask, exp in (("nan", nan_mask, EXPECTED["nan"]),
-                            ("big", big_mask, EXPECTED["big"])):
-        if int(mask.sum()) != exp:
-            print(f"WARNING: {name} mask has {int(mask.sum()):,} True windows; "
-                  f"the pristine v1 download yields {exp:,}.")
-
-    os.makedirs(args.out_dir, exist_ok=True)
-    for name, mask in (("nan_windows_mask.npy", nan_mask),
-                       ("big_windows_mask.npy", big_mask)):
-        out = os.path.join(args.out_dir, name)
-        np.save(out, mask)
-        print(f"wrote {out} ({int(mask.sum()):,} True)")
-
-
-if __name__ == "__main__":
-    main()

benchmarks/wiflow-std/onnx_bench.py

@@ -1,220 +0,0 @@
-"""ADR-152 edge optimization: ONNX export + onnxruntime CPU benchmark for the
-retrained WiFlow-STD checkpoint.
-
-- Exports fp32 to ONNX. The axial attention reshapes with python ints taken
-  from tensor.size() (view(N*W, C, H)), so a traced graph bakes the batch
-  size; we first try a dynamic-batch export and verify it actually works at
-  batch sizes 1/2/64 -- if not, we fall back to fixed-batch exports.
-- Verifies output parity vs torch on the stored fixture
-  (results/parity_fixture.npz, batch 2, seed 42): max abs diff < 1e-4.
-- Measures onnxruntime CPU latency at batch 1 and 64 (median of N runs).
-- Supplementary: onnxruntime dynamic int8 quantization of the exported model
-  (weight size datapoint for the paper's "~2.2 MB int8" claim).
-
-Usage:
-  .venv/Scripts/python.exe onnx_bench.py
-
-Writes/merges into results/edge_optimization.json under key "onnx".
-"""
-
-import json
-import os
-import platform
-import statistics
-import time
-import traceback
-
-import numpy as np
-import torch
-
-from _bench_common import RESULTS, import_upstream, load_wiflow_model
-
-import_upstream()  # sys.path + models stub + >1GB np.load mmap patch
-
-CHECKPOINT = os.path.join(RESULTS, "retrained_best_pose_model.pth")
-OUT_JSON = os.path.join(RESULTS, "edge_optimization.json")
-
-
-def load_fp32_model():
-    return load_wiflow_model(CHECKPOINT)
-
-
-def try_export(model, path, batch, dynamic, opset=17):
-    """Returns (ok, exporter_used, error)."""
-    x = torch.rand(batch, 540, 20)
-    attempts = []
-    if dynamic:
-        attempts.append(("dynamo", dict(dynamo=True,
-                                        dynamic_shapes={"x": {0: "batch"}})))
-        attempts.append(("torchscript", dict(dynamo=False,
-                                             dynamic_axes={"input": {0: "batch"},
-                                                           "output": {0: "batch"}})))
-    else:
-        attempts.append(("torchscript", dict(dynamo=False)))
-        attempts.append(("dynamo", dict(dynamo=True)))
-    last_err = None
-    for name, kw in attempts:
-        try:
-            with torch.no_grad():
-                torch.onnx.export(model, (x,), path, opset_version=opset,
-                                  input_names=["input"], output_names=["output"],
-                                  **kw)
-            return True, name, None
-        except Exception as e:  # noqa: BLE001
-            last_err = f"{name}: {type(e).__name__}: {e}"
-            traceback.print_exc()
-    return False, None, last_err
-
-
-def ort_session(path):
-    import onnxruntime as ort
-    return ort.InferenceSession(path, providers=["CPUExecutionProvider"])
-
-
-def ort_run(sess, x):
-    inp = sess.get_inputs()[0].name
-    return sess.run(None, {inp: x})[0]
-
-
-def bench_ort(sess, batch, n_runs):
-    rng = np.random.default_rng(123)
-    x = rng.random((batch, 540, 20), dtype=np.float32)
-    for _ in range(max(5, n_runs // 10)):
-        ort_run(sess, x)
-    times = []
-    for _ in range(n_runs):
-        t0 = time.perf_counter()
-        ort_run(sess, x)
-        times.append(time.perf_counter() - t0)
-    med = statistics.median(times)
-    return {
-        "batch_size": batch,
-        "runs": n_runs,
-        "median_ms_per_batch": med * 1e3,
-        "median_ms_per_window": med * 1e3 / batch,
-        "windows_per_second": batch / med,
-    }
-
-
-def main():
-    import argparse
-    parser = argparse.ArgumentParser(
-        description="ONNX export + onnxruntime CPU benchmark for the "
-                    "retrained WiFlow-STD checkpoint (no options; see "
-                    "module docstring). NB: the published "
-                    "retrained_fp32_dynamic.onnx came from the TorchScript "
-                    "exporter; on newer torch the dynamo attempt may succeed "
-                    "first and produce a different (external-data) artifact.")
-    parser.parse_args()
-
-    import onnxruntime
-    model = load_fp32_model()
-    results = {
-        "env": {
-            "torch": torch.__version__,
-            "onnxruntime": onnxruntime.__version__,
-            "platform": platform.platform(),
-        },
-    }
-
-    fixture = np.load(os.path.join(RESULTS, "parity_fixture.npz"))
-    fx, fy = fixture["input"], fixture["output"]  # (2,540,20) -> (2,15,2)
-
-    # ---- export: dynamic batch first, fall back to fixed --------------------
-    dyn_path = os.path.join(RESULTS, "retrained_fp32_dynamic.onnx")
-    ok, exporter, err = try_export(model, dyn_path, batch=2, dynamic=True)
-    dynamic_works = False
-    if ok:
-        # verify the dynamic graph really runs at other batch sizes
-        try:
-            sess = ort_session(dyn_path)
-            for b in (1, 2, 64):
-                y = ort_run(sess, np.zeros((b, 540, 20), dtype=np.float32))
-                assert y.shape == (b, 15, 2), y.shape
-            dynamic_works = True
-        except Exception as e:  # noqa: BLE001
-            print(f"dynamic-batch model does not generalize: {e}")
-
-    sessions = {}
-    if dynamic_works:
-        results["export"] = {"mode": "dynamic-batch", "exporter": exporter,
-                             "file": os.path.basename(dyn_path),
-                             "size_mb": os.path.getsize(dyn_path) / 1e6}
-        sess = ort_session(dyn_path)
-        sessions = {1: sess, 2: sess, 64: sess}
-        print(f"dynamic-batch export OK via {exporter}")
-    else:
-        results["export"] = {"mode": "fixed-batch", "fallback_reason": err,
-                             "files": {}}
-        for b in (1, 2, 64):
-            p = os.path.join(RESULTS, f"retrained_fp32_b{b}.onnx")
-            ok, exporter, err = try_export(model, p, batch=b, dynamic=False)
-            if not ok:
-                results["export"]["files"][str(b)] = {"error": err}
-                print(f"EXPORT FAILED at batch {b}: {err}")
-                continue
-            results["export"]["files"][str(b)] = {
-                "exporter": exporter, "file": os.path.basename(p),
-                "size_mb": os.path.getsize(p) / 1e6}
-            sessions[b] = ort_session(p)
-            print(f"fixed-batch {b} export OK via {exporter}")
-
-    # ---- parity vs torch on the fixture -------------------------------------
-    if 2 in sessions:
-        y_ort = ort_run(sessions[2], fx)
-        with torch.no_grad():
-            y_torch = model(torch.from_numpy(fx)).numpy()
-        results["parity"] = {
-            "fixture": "results/parity_fixture.npz (batch 2, seed 42)",
-            "max_abs_diff_vs_stored_fixture": float(np.abs(y_ort - fy).max()),
-            "max_abs_diff_vs_torch_now": float(np.abs(y_ort - y_torch).max()),
-            "pass_lt_1e-4": bool(np.abs(y_ort - y_torch).max() < 1e-4),
-        }
-        print("parity:", json.dumps(results["parity"], indent=2))
-
-    # ---- latency -------------------------------------------------------------
-    results["latency"] = {}
-    if 1 in sessions:
-        results["latency"]["batch1"] = bench_ort(sessions[1], 1, 100)
-        print(f"ORT batch 1:  {results['latency']['batch1']['median_ms_per_window']:.2f} ms/window")
-    if 64 in sessions:
-        results["latency"]["batch64"] = bench_ort(sessions[64], 64, 30)
-        print(f"ORT batch 64: {results['latency']['batch64']['median_ms_per_window']:.3f} ms/window")
-
-    # ---- supplementary: ORT dynamic int8 (size datapoint for the 2.2MB claim)
-    src = (dyn_path if dynamic_works
-           else os.path.join(RESULTS, "retrained_fp32_b1.onnx"))
-    if os.path.exists(src):
-        try:
-            from onnxruntime.quantization import QuantType, quantize_dynamic
-            q_path = os.path.join(RESULTS, "retrained_int8_ort_dynamic.onnx")
-            quantize_dynamic(src, q_path, weight_type=QuantType.QInt8)
-            entry = {"file": os.path.basename(q_path),
-                     "size_mb": os.path.getsize(q_path) / 1e6}
-            try:
-                qs = ort_session(q_path)
-                yq = ort_run(qs, fx[:1] if not dynamic_works else fx)
-                ref = fy[:1] if not dynamic_works else fy
-                entry["runs"] = True
-                entry["max_abs_diff_vs_fp32_fixture"] = float(np.abs(yq - ref).max())
-            except Exception as e:  # noqa: BLE001
-                entry["runs"] = False
-                entry["run_error"] = f"{type(e).__name__}: {e}"
-            results["ort_int8_dynamic_supplementary"] = entry
-            print("ORT int8:", json.dumps(entry, indent=2))
-        except Exception as e:  # noqa: BLE001
-            results["ort_int8_dynamic_supplementary"] = {
-                "error": f"{type(e).__name__}: {e}"}
-
-    merged = {}
-    if os.path.exists(OUT_JSON):
-        with open(OUT_JSON) as f:
-            merged = json.load(f)
-    merged["onnx"] = results
-    with open(OUT_JSON, "w") as f:
-        json.dump(merged, f, indent=2)
-    print(f"wrote {OUT_JSON}")
-
-
-if __name__ == "__main__":
-    main()

benchmarks/wiflow-std/quantize_bench.py

@@ -1,228 +0,0 @@
-"""ADR-152 "optimize beyond SOTA": edge-optimization benchmark for the
-retrained WiFlow-STD checkpoint (results/retrained_best_pose_model.pth,
-~96% PCK@20, fp32 params 2,225,042).
-
-Measures, for fp32 / fp16 / dynamic-int8 torch variants:
-  (a) serialized state_dict size on disk,
-  (b) CPU inference latency per window at batch 1 and batch 64
-      (median of repeated runs, this Windows box),
-  (c) accuracy (PCK@20/50 + MPJPE, upstream metrics) on a corruption-free
-      random subset of the seed-42 file-level 70/15/15 test split
-      (same split as eval_repro.py; corrupted windows 487-499 excluded via
-      results/nan_windows_mask.npy | results/big_windows_mask.npy).
-
-Also verifies the paper's "~2.2 MB int8" size claim: reports which layer
-types torch dynamic quantization actually converts (the model contains NO
-nn.Linear -- it is Conv1d/Conv2d/BatchNorm only) and the real on-disk size.
-
-Usage:
-  .venv/Scripts/python.exe quantize_bench.py \
-      --data-dir C:/Users/ruv/.cache/kagglehub/datasets/kaka2434/wiflow-dataset/versions/1/preprocessed_csi_data \
-      [--subset 10000] [--skip-accuracy]
-
-Writes/merges into results/edge_optimization.json under key "torch".
-"""
-
-import argparse
-import json
-import os
-import platform
-import statistics
-import time
-
-import numpy as np
-import torch
-import torch.nn as nn
-from torch.utils.data import DataLoader
-
-from _bench_common import HERE, RESULTS, evaluate, import_upstream, load_wiflow_model
-
-import_upstream()  # sys.path + models stub + >1GB np.load mmap patch
-
-from dataset import (  # noqa: E402
-    PreprocessedCSIKeypointsDataset,
-    create_preprocessed_train_val_test_loaders,
-)
-
-CHECKPOINT = os.path.join(RESULTS, "retrained_best_pose_model.pth")
-
-
-def load_fp32_model():
-    # legacy upstream key remap inside is a harmless no-op on this checkpoint
-    return load_wiflow_model(CHECKPOINT)
-
-
-def state_dict_size_bytes(model, path):
-    torch.save(model.state_dict(), path)
-    return os.path.getsize(path)
-
-
-def bench_latency(model, batch_size, n_runs, dtype=torch.float32):
-    gen = torch.Generator().manual_seed(123)
-    x = torch.rand(batch_size, 540, 20, generator=gen).to(dtype)
-    with torch.no_grad():
-        for _ in range(max(5, n_runs // 10)):  # warmup
-            model(x)
-        times = []
-        for _ in range(n_runs):
-            t0 = time.perf_counter()
-            model(x)
-            times.append(time.perf_counter() - t0)
-    med = statistics.median(times)
-    return {
-        "batch_size": batch_size,
-        "runs": n_runs,
-        "median_ms_per_batch": med * 1e3,
-        "median_ms_per_window": med * 1e3 / batch_size,
-        "windows_per_second": batch_size / med,
-    }
-
-
-def build_test_subset(data_dir, subset_size, batch_size=64):
-    """Seed-42 file-level 70/15/15 test split (exactly as eval_repro.py),
-    minus corrupted windows, then a seed-42 random subset."""
-    dataset = PreprocessedCSIKeypointsDataset(
-        data_dir=data_dir, keypoint_scale=1000.0, enable_temporal_clean=True)
-    _tr, _va, test_loader = create_preprocessed_train_val_test_loaders(
-        dataset=dataset, batch_size=batch_size, num_workers=0, random_seed=42)
-    test_indices = np.asarray(test_loader.dataset.indices)
-
-    corrupted = (np.load(os.path.join(RESULTS, "nan_windows_mask.npy"))
-                 | np.load(os.path.join(RESULTS, "big_windows_mask.npy")))
-    clean = test_indices[~corrupted[test_indices]]
-    print(f"test split: {len(test_indices)} windows, "
-          f"{len(test_indices) - len(clean)} corrupted excluded, "
-          f"{len(clean)} clean")
-
-    if subset_size and subset_size < len(clean):
-        rng = np.random.default_rng(42)
-        clean = np.sort(rng.choice(clean, size=subset_size, replace=False))
-    subset = torch.utils.data.Subset(dataset, clean.tolist())
-    loader = DataLoader(subset, batch_size=batch_size, shuffle=False,
-                        num_workers=0)
-    return loader, len(clean)
-
-
-def quantize_int8_dynamic(fp32_model):
-    """torch.ao.quantization.quantize_dynamic on Linear/Conv where supported.
-    Returns (model, report) where report documents what actually quantized."""
-    qmodel = torch.ao.quantization.quantize_dynamic(
-        fp32_model, {nn.Linear, nn.Conv1d, nn.Conv2d}, dtype=torch.qint8)
-
-    quantized, total_params, quant_params = [], 0, 0
-    for name, mod in qmodel.named_modules():
-        cls = type(mod).__module__ + "." + type(mod).__name__
-        if "quantized" in cls:
-            w = mod.weight() if callable(getattr(mod, "weight", None)) else None
-            numel = w.numel() if w is not None else 0
-            quant_params += numel
-            quantized.append({"module": name, "class": cls, "params": numel})
-    for p in fp32_model.parameters():
-        total_params += p.numel()
-
-    n_linear = sum(isinstance(m, nn.Linear) for m in fp32_model.modules())
-    n_conv1d = sum(isinstance(m, nn.Conv1d) for m in fp32_model.modules())
-    n_conv2d = sum(isinstance(m, nn.Conv2d) for m in fp32_model.modules())
-    report = {
-        "eligible_module_counts": {
-            "nn.Linear": n_linear, "nn.Conv1d": n_conv1d, "nn.Conv2d": n_conv2d},
-        "modules_actually_quantized": quantized,
-        "n_modules_quantized": len(quantized),
-        "params_total": total_params,
-        "params_quantized": quant_params,
-        "params_quantized_fraction": quant_params / total_params,
-    }
-    return qmodel, report
-
-
-def main():
-    parser = argparse.ArgumentParser()
-    parser.add_argument("--data-dir", default=os.path.join(
-        os.path.expanduser("~"), ".cache", "kagglehub", "datasets", "kaka2434",
-        "wiflow-dataset", "versions", "1", "preprocessed_csi_data"))
-    parser.add_argument("--subset", type=int, default=10000)
-    parser.add_argument("--runs-b1", type=int, default=100)
-    parser.add_argument("--runs-b64", type=int, default=30)
-    parser.add_argument("--skip-accuracy", action="store_true")
-    parser.add_argument("--out", default=os.path.join(RESULTS, "edge_optimization.json"))
-    args = parser.parse_args()
-
-    torch.manual_seed(42)
-    results = {
-        "env": {
-            "torch": torch.__version__,
-            "platform": platform.platform(),
-            "processor": platform.processor(),
-            "num_threads": torch.get_num_threads(),
-            "checkpoint": os.path.relpath(CHECKPOINT, HERE),
-        },
-        "variants": {},
-    }
-
-    # ---- build variants ---------------------------------------------------
-    fp32 = load_fp32_model()
-    n_params = sum(p.numel() for p in fp32.parameters())
-    results["env"]["params"] = n_params
-    print(f"fp32 model: {n_params:,} params")
-
-    fp16 = load_fp32_model().half()
-
-    int8, q_report = quantize_int8_dynamic(load_fp32_model())
-    results["int8_dynamic_quant_report"] = q_report
-    print(f"int8 dynamic: {q_report['n_modules_quantized']} modules quantized, "
-          f"{q_report['params_quantized_fraction']*100:.1f}% of params")
-
-    variants = {
-        "fp32": (fp32, torch.float32, "retrained_fp32_resaved.pth"),
-        "fp16": (fp16, torch.float16, "retrained_fp16.pth"),
-        "int8_dynamic": (int8, torch.float32, "retrained_int8_dynamic.pth"),
-    }
-
-    # ---- (a) size + (b) latency -------------------------------------------
-    for name, (model, dtype, fname) in variants.items():
-        path = os.path.join(RESULTS, fname)
-        size = state_dict_size_bytes(model, path)
-        print(f"\n=== {name}: {size/1e6:.3f} MB on disk ({fname}) ===")
-        lat1 = bench_latency(model, 1, args.runs_b1, dtype)
-        lat64 = bench_latency(model, 64, args.runs_b64, dtype)
-        print(f"  batch 1:  {lat1['median_ms_per_window']:.2f} ms/window "
-              f"({lat1['windows_per_second']:.0f}/s)")
-        print(f"  batch 64: {lat64['median_ms_per_window']:.3f} ms/window "
-              f"({lat64['windows_per_second']:.0f}/s)")
-        results["variants"][name] = {
-            "file": fname,
-            "size_bytes": size,
-            "size_mb": size / 1e6,
-            "latency_batch1": lat1,
-            "latency_batch64": lat64,
-        }
-
-    # ---- (c) accuracy ------------------------------------------------------
-    if not args.skip_accuracy:
-        loader, n_clean = build_test_subset(args.data_dir, args.subset)
-        results["accuracy_subset"] = {
-            "description": "seed-42 file-level 70/15/15 test split, corrupted "
-                           "windows (files 487-499) excluded, seed-42 random "
-                           "subset",
-            "subset_size": min(args.subset, n_clean) if args.subset else n_clean,
-            "clean_test_total": n_clean,
-        }
-        for name, (model, dtype, _f) in variants.items():
-            print(f"\n=== accuracy: {name} ===")
-            results["variants"][name]["accuracy"] = evaluate(
-                model, loader, dtype=dtype, label=name)
-            print(json.dumps(results["variants"][name]["accuracy"], indent=2))
-
-    # ---- merge into edge_optimization.json ---------------------------------
-    merged = {}
-    if os.path.exists(args.out):
-        with open(args.out) as f:
-            merged = json.load(f)
-    merged["torch"] = results
-    with open(args.out, "w") as f:
-        json.dump(merged, f, indent=2)
-    print(f"\nwrote {args.out}")
-
-
-if __name__ == "__main__":
-    main()

benchmarks/wiflow-std/remote/clean_v2.py

@@ -1,14 +0,0 @@
-import numpy as np, os
-d = os.path.expanduser('~/wiflow-std-bench/preprocessed_csi_data')
-csi = np.load(os.path.join(d, 'csi_windows.npy'), mmap_mode='r+')
-zeroed = 0
-chunk = 4000
-for i in range(0, len(csi), chunk):
-    block = csi[i:i+chunk]
-    finite = np.isfinite(block)
-    bad = (~finite).any(axis=(1, 2)) | (np.abs(np.where(finite, block, 0)).max(axis=(1, 2)) > 1.5)
-    if bad.any():
-        block[bad] = 0.0
-        zeroed += int(bad.sum())
-csi.flush()
-print(f'zeroed {zeroed} corrupted windows entirely')

benchmarks/wiflow-std/remote/eval_retrained.py

@@ -1,112 +0,0 @@
-"""Evaluate the retrained WiFlow-STD checkpoint (ADR-152 §2.2a fallback).
-
-Scores the model produced by run.py (train_output/best_pose_model.pth or similar)
-on the seed-42 test split: full test set AND NaN-free subset (excluding windows
-that were zero-filled by clean_nan.py — file indices 487-499).
-
-NOTE: deployed to ruvultra (~/wiflow-std-bench) as a standalone single file,
-so it deliberately inlines its helpers. The reference implementations (upstream
-import shim, >1GB np.load mmap patch, key-remap loader, canonical evaluate
-loop) live in benchmarks/wiflow-std/_bench_common.py — keep copies in sync.
-"""
-import json, os, random, sys
-
-import numpy as np
-import torch
-from torch.utils.data import DataLoader, Subset
-
-# csi_windows.npy is ~13 GB; mmap large arrays instead of eagerly loading
-# ~15 GB into RAM (same patch as _bench_common._np_load_mmap).
-_np_load = np.load
-
-
-def _np_load_mmap(path, *a, **kw):
-    if (isinstance(path, str) and path.endswith('.npy')
-            and os.path.getsize(path) > 1 << 30 and 'mmap_mode' not in kw):
-        kw['mmap_mode'] = 'r'
-    return _np_load(path, *a, **kw)
-
-
-np.load = _np_load_mmap
-
-sys.path.insert(0, os.path.expanduser('~/wiflow-std-bench/upstream'))
-from dataset import PreprocessedCSIKeypointsDataset, create_preprocessed_train_val_test_loaders
-from models.pose_model import WiFlowPoseModel
-from utils.metrics import calculate_pck, calculate_mpjpe
-
-
-def find_checkpoint():
-    cands = []
-    for root, _, files in os.walk(os.path.expanduser('~/wiflow-std-bench/train_output')):
-        for f in files:
-            if f.endswith('.pth'):
-                cands.append(os.path.join(root, f))
-    # also upstream/test default output dir
-    for root, _, files in os.walk(os.path.expanduser('~/wiflow-std-bench/upstream')):
-        for f in files:
-            if f.endswith('.pth') and 'best' in f and 'cross_dataset' not in root:
-                p = os.path.join(root, f)
-                if os.path.getmtime(p) > os.path.getmtime(os.path.expanduser('~/wiflow-std-bench/train.log')) - 86400 * 2:
-                    cands.append(p)
-    cands = [c for c in cands if not c.endswith('upstream/best_pose_model.pth')]
-    if not cands:
-        sys.exit('no retrained checkpoint found')
-    return max(cands, key=os.path.getmtime)
-
-
-def evaluate(model, loader, device):
-    model.eval()
-    totals = {t: 0.0 for t in (0.1, 0.2, 0.3, 0.4, 0.5)}
-    total_mpe, n = 0.0, 0
-    with torch.no_grad():
-        for bx, by in loader:
-            bx, by = bx.to(device), by.to(device)
-            out = model(bx)
-            bs = by.size(0)
-            total_mpe += calculate_mpjpe(out, by) * bs
-            pck = calculate_pck(out, by, thresholds=list(totals))
-            for t in totals:
-                totals[t] += pck[t] * bs
-            n += bs
-    return {'samples': n, 'mpjpe': total_mpe / n,
-            **{f'pck@{int(t*100)}': totals[t] / n for t in totals}}
-
-
-random.seed(42); np.random.seed(42); torch.manual_seed(42)
-torch.cuda.manual_seed_all(42)
-torch.backends.cudnn.deterministic = True
-
-d = os.path.expanduser('~/wiflow-std-bench/preprocessed_csi_data')
-dataset = PreprocessedCSIKeypointsDataset(data_dir=d, keypoint_scale=1000.0,
-                                          enable_temporal_clean=True)
-_, _, test_loader = create_preprocessed_train_val_test_loaders(
-    dataset=dataset, batch_size=256, num_workers=2, random_seed=42)
-
-device = torch.device('cuda')
-ckpt = find_checkpoint()
-print('checkpoint:', ckpt)
-model = WiFlowPoseModel(dropout=0.5).to(device)
-state = torch.load(ckpt, map_location=device, weights_only=True)
-renames = {'att.': 'attention.', 'final_conv.': 'decoder.'}
-state = {next((new + k[len(old):] for old, new in renames.items()
-               if k.startswith(old)), k): v for k, v in state.items()}
-model.load_state_dict(state, strict=True)
-
-results = {'checkpoint': ckpt}
-print('=== full test set ===')
-results['test_full'] = evaluate(model, test_loader, device)
-print(json.dumps(results['test_full'], indent=2))
-
-# NaN-free subset: exclude windows from corrupted files 487-499
-test_subset = test_loader.dataset            # Subset(dataset, test_indices)
-w2f = dataset.window_to_file
-clean_idx = [i for i in test_subset.indices if w2f[i] < 487]
-print(f'=== NaN-free test subset ({len(clean_idx)} of {len(test_subset.indices)}) ===')
-clean_loader = DataLoader(Subset(dataset, clean_idx), batch_size=256, shuffle=False)
-results['test_clean'] = evaluate(model, clean_loader, device)
-print(json.dumps(results['test_clean'], indent=2))
-
-out = os.path.expanduser('~/wiflow-std-bench/eval_retrained.json')
-with open(out, 'w') as f:
-    json.dump(results, f, indent=2)
-print('wrote', out)

benchmarks/wiflow-std/remote/measb/train_measb.py

@@ -1,374 +0,0 @@
-"""ADR-152 SS2.2 measurement (b): WiFlow-STD fine-tuned on our fresh ESP32 paired dataset.
-
-Dataset: ~/wiflow-std-bench/paired-20260610.jsonl -- 2,046 paired windows collected
-2026-06-10 22:10-22:40 (ONE subject, ONE room, ONE ESP32 node, varied poses).
-Per record: csi = flat float32 list, csi_shape, kp = 17 COCO [x, y] normalized [0,1]
-camera coords, conf (MediaPipe mean confidence, all > 0.5 in this set), ts_start/ts_end.
-Aligner: scripts/align-ground-truth.js, non-overlapping 20-frame windows (~0.42 s each).
-
-Dataset findings (MEASURED on this file, 2026-06-10):
-  - csi_shape is HETEROGENEOUS, not uniformly [70, 20]: 1,347x [70,20], 284x [134,20],
-    243x [26,20], 130x [12,20], 42x [20,20]. The ESP32 stream emits mixed frame types
-    and the aligner stamps each window's subcarrier count from frame[0]
-    (extractCsiMatrix: nSc = window[0].subcarriers), zero-padding/truncating the rest.
-    Even native-70 windows contain ~20.4% internally zero-padded short frames
-    (subcarriers 40..69 all-zero for those frames).
-  - LAYOUT BUG: the aligner fills matrix[f * nSc + s] (frame-major) but declares
-    shape [nSc, nFrames]. The true layout is (frame, subcarrier); we reshape
-    (nFrames, nSc) and transpose. Confirmed by coherent per-frame zero-tails.
-  - Handling here (primary suite, "all2046"): every frame's subcarrier axis is
-    linearly resampled to 70 bins (np.interp over a normalized index domain;
-    identity for native-70 frames) so the pre-registered n=2,046 and split sizes
-    hold. Secondary suite ("native70") restricts to the 1,347 native [70,20]
-    windows (temporal 70/15/15 of those) as a homogeneity robustness check.
-
-Pre-registered protocol (followed exactly):
-  1. TEMPORAL split (records are time-sorted; asserted): first 70% train (1,432),
-     next 15% val (307), last 15% test (307). No shuffling across time. Seed 42
-     for everything else.
-  2. Model: upstream WiFlow-STD trunk (WiFlowPoseModel) with a learned 1x1 Conv1d
-     projection 70->540 prepended, and K=17 via the parameter-free adaptive pool
-     (AdaptiveAvgPool2d((17, 1)) instead of (15, 1)) -- pretrained weights load
-     for any K. CSI normalization: divide by the TRAIN-split 99th-percentile
-     amplitude, clip to [0, 1] (documented in output JSON).
-  3. Three runs, <=60 epochs, early-stop patience 8 on val MPJPE, batch 32,
-     AdamW, fp32 (no autocast):
-       (i)   pretrained-init: trunk init from upstream/test/best_pose_model.pth
-             (the measurement-(a) retrained checkpoint, ~96% PCK@20 on WiFlow data;
-             key remap att.->attention. / final_conv.->decoder. applied defensively
-             as in eval_repro.py -- a no-op for this checkpoint, which already uses
-             the new names). Discriminative lr: adapter 1e-4, trunk 1e-5.
-       (ii)  scratch: same architecture, random init, all params lr 1e-4.
-       (iii) frozen-trunk: pretrained trunk frozen (requires_grad=False AND held in
-             .eval() so BatchNorm running stats cannot drift -- pure transfer probe);
-             only the 70->540 adapter trains, lr 1e-4.
-  4. Metrics on the temporal TEST split: torso-normalized PCK@10/20/30/40/50 and
-     MPJPE. Upstream utils/metrics.py calculate_pck(use_torso_norm=True) hardcodes
-     NECK_IDX/PELVIS_IDX = 2, 12 -- a 15-keypoint convention that is WRONG for our
-     17 COCO keypoints (2 = right_eye, 12 = right_hip). We therefore reimplement the
-     identical math (per-frame norm distance, clamp min 0.01, mean over all
-     keypoints x frames) with torso = ||l_shoulder(5) - l_hip(11)||.
-     Also reported: prediction std across test frames (constant-pose detector;
-     must be > 0) and the mean-pose-predictor baseline (train-split mean pose
-     evaluated on test -- the honesty bar).
-
-Usage (on ruvultra):
-  nice -n 10 nohup ~/wiflow-std-bench/venv/bin/python train_measb.py > train_measb.log 2>&1 &
-
-NOTE: deployed to ruvultra as a standalone single file, so it deliberately
-inlines its helpers. The reference implementations (upstream import shim,
-np.load mmap patch, key-remap loader, canonical evaluate loop) live in
-benchmarks/wiflow-std/_bench_common.py — keep copies in sync.
-"""
-
-import json
-import os
-import random
-import sys
-import time
-
-import numpy as np
-import torch
-import torch.nn as nn
-
-BENCH = os.path.expanduser("~/wiflow-std-bench")
-UPSTREAM = os.path.join(BENCH, "upstream")
-MEASB = os.path.join(BENCH, "measb")
-DATA = os.path.join(BENCH, "paired-20260610.jsonl")
-CHECKPOINT = os.path.join(UPSTREAM, "test", "best_pose_model.pth")
-
-sys.path.insert(0, UPSTREAM)
-
-# Upstream defect (1): models/__init__.py imports a name tcn.py does not define.
-# Register a stub package so the broken __init__ never executes (as eval_repro.py).
-import types  # noqa: E402
-
-_models_pkg = types.ModuleType("models")
-_models_pkg.__path__ = [os.path.join(UPSTREAM, "models")]
-sys.modules["models"] = _models_pkg
-
-from models.pose_model import WiFlowPoseModel  # noqa: E402
-
-SEED = 42
-K = 17
-N_SUBC = 70
-TRUNK_IN = 540
-BATCH = 32          # <= 64 per protocol (GPU shared with the efficiency sweep)
-MAX_EPOCHS = 60
-PATIENCE = 8
-LR_ADAPTER = 1e-4
-LR_TRUNK_FT = 1e-5  # 10x lower for the pretrained trunk vs the fresh adapter
-L_SHOULDER, L_HIP = 5, 11
-THRESHOLDS = (0.1, 0.2, 0.3, 0.4, 0.5)
-
-
-def set_seed(seed=SEED):
-    random.seed(seed)
-    np.random.seed(seed)
-    torch.manual_seed(seed)
-    if torch.cuda.is_available():
-        torch.cuda.manual_seed_all(seed)
-    torch.backends.cudnn.deterministic = True
-    torch.backends.cudnn.benchmark = False
-
-
-def resample_subcarriers(frame_major, n_out=N_SUBC):
-    """(nFrames, nSc) -> (nFrames, n_out) by per-frame linear interpolation.
-
-    Identity for nSc == n_out. Normalized index domain [0, 1] on both sides.
-    """
-    nf, nsc = frame_major.shape
-    if nsc == n_out:
-        return frame_major
-    xi = np.linspace(0.0, 1.0, nsc)
-    xo = np.linspace(0.0, 1.0, n_out)
-    return np.stack([np.interp(xo, xi, frame_major[f]) for f in range(nf)]).astype(np.float32)
-
-
-def load_dataset():
-    csi, kps, confs, ts, native70 = [], [], [], [], []
-    shape_counts = {}
-    with open(DATA) as f:
-        for line in f:
-            r = json.loads(line)
-            nsc, nf = r["csi_shape"]
-            shape_counts[f"{nsc}x{nf}"] = shape_counts.get(f"{nsc}x{nf}", 0) + 1
-            assert nf == 20, r["csi_shape"]
-            # Aligner layout bug: data is frame-major despite the declared
-            # [nSc, nFrames] shape -- reshape (nFrames, nSc), then resample the
-            # subcarrier axis to 70 and transpose to (70 subcarriers, 20 frames).
-            fm = np.asarray(r["csi"], dtype=np.float32).reshape(nf, nsc)
-            csi.append(resample_subcarriers(fm).T)
-            kp = np.asarray(r["kp"], dtype=np.float32)
-            assert kp.shape == (K, 2), kp.shape
-            kps.append(kp)
-            confs.append(r["conf"])
-            ts.append(r["ts_start"])
-            native70.append(nsc == N_SUBC)
-    assert all(ts[i] <= ts[i + 1] for i in range(len(ts) - 1)), "records not time-sorted"
-    return (np.stack(csi), np.stack(kps), np.asarray(confs, dtype=np.float32),
-            np.asarray(native70), shape_counts, ts[0], ts[-1])
-
-
-def temporal_split(n):
-    n_train = int(round(n * 0.70))
-    n_val = int(round(n * 0.15))
-    return slice(0, n_train), slice(n_train, n_train + n_val), slice(n_train + n_val, n)
-
-
-class AdaptedWiFlow(nn.Module):
-    """1x1 Conv1d adapter 70->540 + upstream WiFlow-STD trunk with K=17 pool head."""
-
-    def __init__(self, k=K, dropout=0.5):
-        super().__init__()
-        self.adapter = nn.Conv1d(N_SUBC, TRUNK_IN, kernel_size=1)
-        nn.init.kaiming_normal_(self.adapter.weight, mode="fan_out", nonlinearity="relu")
-        nn.init.constant_(self.adapter.bias, 0)
-        self.trunk = WiFlowPoseModel(dropout=dropout)
-        # K=17 via the parameter-free adaptive pool: decoder emits [B, 2, 15, 20]
-        # spatial maps; pooling H->17 instead of 15 yields [B, 17, 2] with no new
-        # parameters, so the pretrained state_dict loads strict=True for any K.
-        self.trunk.avg_pool = nn.AdaptiveAvgPool2d((k, 1))
-
-    def forward(self, x):
-        return self.trunk(self.adapter(x))
-
-
-def load_pretrained_trunk(trunk, path):
-    state = torch.load(path, map_location="cpu", weights_only=True)
-    # Defensive remap as in eval_repro.py (no-op for the retrained checkpoint).
-    renames = {"att.": "attention.", "final_conv.": "decoder."}
-    state = {next((new + k[len(old):] for old, new in renames.items()
-                   if k.startswith(old)), k): v
-             for k, v in state.items()}
-    trunk.load_state_dict(state, strict=True)
-
-
-def pck_torso(pred, target, thresholds=THRESHOLDS):
-    """Upstream calculate_pck math, torso = l_shoulder(5)<->l_hip(11) for 17-kp COCO."""
-    norm = torch.sqrt(((target[:, L_SHOULDER] - target[:, L_HIP]) ** 2).sum(dim=1))
-    norm = torch.clamp(norm, min=0.01)
-    dist = torch.sqrt(((pred - target) ** 2).sum(dim=2)) / norm.unsqueeze(1)
-    return {f"pck@{int(t * 100)}": (dist <= t).float().mean().item() for t in thresholds}
-
-
-def mpjpe(pred, target):
-    return torch.sqrt(((pred - target) ** 2).sum(dim=2)).mean().item()
-
-
-@torch.no_grad()
-def predict(model, x, batch=256):
-    model.eval()
-    return torch.cat([model(x[i:i + batch]) for i in range(0, len(x), batch)])
-
-
-def eval_preds(pred, target):
-    out = pck_torso(pred, target)
-    out["mpjpe"] = mpjpe(pred, target)
-    # Constant-pose detector: std across test frames per coordinate, mean over
-    # the 17x2 coordinates. 0.0 == degenerate constant predictor.
-    out["pred_std"] = pred.std(dim=0).mean().item()
-    return out
-
-
-def train_run(name, x_tr, y_tr, x_va, y_va, device, pretrained, freeze_trunk,
-              lr_trunk):
-    set_seed(SEED)
-    model = AdaptedWiFlow().to(device)
-    if pretrained:
-        load_pretrained_trunk(model.trunk, CHECKPOINT)
-    if freeze_trunk:
-        for p in model.trunk.parameters():
-            p.requires_grad = False
-        groups = [{"params": model.adapter.parameters(), "lr": LR_ADAPTER}]
-    else:
-        groups = [{"params": model.adapter.parameters(), "lr": LR_ADAPTER},
-                  {"params": model.trunk.parameters(), "lr": lr_trunk}]
-    opt = torch.optim.AdamW(groups)
-    loss_fn = nn.MSELoss()
-
-    n = len(x_tr)
-    best_val, best_state, best_epoch, bad = float("inf"), None, -1, 0
-    history = []
-    t0 = time.time()
-    for epoch in range(MAX_EPOCHS):
-        model.train()
-        if freeze_trunk:
-            model.trunk.eval()  # keep BatchNorm running stats fixed: pure transfer
-        perm = torch.randperm(n, device=device)
-        ep_loss = 0.0
-        for i in range(0, n, BATCH):
-            idx = perm[i:i + BATCH]
-            opt.zero_grad()
-            loss = loss_fn(model(x_tr[idx]), y_tr[idx])
-            loss.backward()
-            opt.step()
-            ep_loss += loss.item() * len(idx)
-        val_mpjpe = mpjpe(predict(model, x_va), y_va)
-        history.append({"epoch": epoch, "train_mse": ep_loss / n, "val_mpjpe": val_mpjpe})
-        marker = ""
-        if val_mpjpe < best_val:
-            best_val, best_epoch, bad = val_mpjpe, epoch, 0
-            best_state = {k: v.detach().cpu().clone() for k, v in model.state_dict().items()}
-            marker = " *"
-        else:
-            bad += 1
-        print(f"[{name}] epoch {epoch:02d} train_mse {ep_loss / n:.6f} "
-              f"val_mpjpe {val_mpjpe:.5f}{marker}", flush=True)
-        if bad >= PATIENCE:
-            print(f"[{name}] early stop at epoch {epoch} (best {best_epoch})", flush=True)
-            break
-    model.load_state_dict(best_state)
-    torch.save(best_state, os.path.join(MEASB, f"{name}_best.pth"))
-    return model, {"best_epoch": best_epoch, "best_val_mpjpe": best_val,
-                   "epochs_run": len(history), "wall_seconds": round(time.time() - t0, 1),
-                   "history": history}
-
-
-def run_suite(tag, csi, kps, device):
-    """Temporal 70/15/15 split, mean-pose baseline, three training runs."""
-    n = len(csi)
-    tr, va, te = temporal_split(n)
-    print(f"=== suite {tag}: n={n} train={tr.stop} val={va.stop - va.start} "
-          f"test={te.stop - te.start} ===", flush=True)
-
-    # CSI normalization constant from TRAIN split only.
-    train_p99 = float(np.percentile(csi[tr], 99))
-    train_max = float(csi[tr].max())
-    print(f"[{tag}] train p99={train_p99:.3f} max={train_max:.3f} -> /p99, clip [0,1]",
-          flush=True)
-    csi_n = np.clip(csi / train_p99, 0.0, 1.0).astype(np.float32)
-
-    x = torch.from_numpy(csi_n).to(device)
-    y = torch.from_numpy(kps).to(device)
-    x_tr, y_tr = x[tr], y[tr]
-    x_va, y_va = x[va], y[va]
-    x_te, y_te = x[te], y[te]
-
-    suite = {
-        "n_windows": n,
-        "split": {"n_train": int(tr.stop), "n_val": int(va.stop - va.start),
-                  "n_test": int(te.stop - te.start)},
-        "csi_norm": {"method": "divide by train-split p99 amplitude, clip [0,1]",
-                     "train_p99": train_p99, "train_max": train_max},
-        "runs": {},
-    }
-
-    # Honesty bar: mean-pose predictor fit on TRAIN, evaluated on TEST.
-    mean_pose = y_tr.mean(dim=0, keepdim=True).expand(len(y_te), -1, -1)
-    suite["mean_pose_baseline"] = eval_preds(mean_pose, y_te)
-    suite["mean_pose_baseline"]["note"] = "train-split mean pose; pred_std 0 by construction"
-    print(f"[{tag}] mean-pose baseline:", json.dumps(suite["mean_pose_baseline"]),
-          flush=True)
-
-    configs = [
-        ("pretrained", dict(pretrained=True, freeze_trunk=False, lr_trunk=LR_TRUNK_FT)),
-        ("scratch", dict(pretrained=False, freeze_trunk=False, lr_trunk=LR_ADAPTER)),
-        ("frozen_trunk", dict(pretrained=True, freeze_trunk=True, lr_trunk=0.0)),
-    ]
-    for name, cfg in configs:
-        print(f"=== run: {tag}/{name} {cfg} ===", flush=True)
-        model, train_info = train_run(f"{tag}_{name}", x_tr, y_tr, x_va, y_va,
-                                      device, **cfg)
-        test_metrics = eval_preds(predict(model, x_te), y_te)
-        n_trainable = sum(p.numel() for p in model.parameters() if p.requires_grad)
-        suite["runs"][name] = {"config": cfg, "trainable_params": n_trainable,
-                               "train": {k: v for k, v in train_info.items()
-                                         if k != "history"},
-                               "history": train_info["history"],
-                               "test": test_metrics}
-        print(f"[{tag}/{name}] TEST:", json.dumps(test_metrics), flush=True)
-    return suite
-
-
-def main():
-    device = torch.device("cuda" if torch.cuda.is_available() else "cpu")
-    print(f"device {device}, torch {torch.__version__}", flush=True)
-    set_seed(SEED)
-
-    csi, kps, confs, native70, shape_counts, ts_first, ts_last = load_dataset()
-    print(f"shape distribution: {shape_counts}", flush=True)
-
-    results = {
-        "protocol": {
-            "dataset": DATA, "n_windows": len(csi),
-            "ts_first": ts_first, "ts_last": ts_last,
-            "conf_mean": float(confs.mean()), "conf_min": float(confs.min()),
-            "csi_shape_distribution": shape_counts,
-            "csi_layout_note": "aligner stores frame-major data under a transposed "
-                               "[nSc, nFrames] shape label; corrected on load",
-            "csi_resample": "per-frame linear interp of subcarrier axis to 70 bins "
-                            "(identity for native-70 frames); native-70 windows still "
-                            "contain ~20.4% internally zero-padded short frames",
-            "split": "temporal 70/15/15 (no shuffle across time)",
-            "model": "1x1 Conv1d 70->540 adapter + WiFlowPoseModel trunk, "
-                     "AdaptiveAvgPool2d((17,1)) head (parameter-free K=17)",
-            "checkpoint": CHECKPOINT,
-            "checkpoint_note": "measurement-(a) retrained checkpoint (~96% PCK@20 on "
-                               "WiFlow data); att./final_conv. remap applied "
-                               "defensively (no-op, already new-style keys)",
-            "optimizer": f"AdamW, adapter lr {LR_ADAPTER}, fine-tuned trunk lr "
-                         f"{LR_TRUNK_FT} (10x lower), scratch all {LR_ADAPTER}",
-            "batch": BATCH, "max_epochs": MAX_EPOCHS, "patience": PATIENCE,
-            "precision": "fp32", "seed": SEED,
-            "pck": "torso-normalized, torso = ||l_shoulder(5) - l_hip(11)||, "
-                   "clamp min 0.01, mean over keypoints x frames "
-                   "(upstream math; upstream 2/12 indices are a 15-kp convention)",
-        },
-        # Primary: all 2,046 windows (pre-registered n), subcarrier axis resampled.
-        "all2046": None,
-        # Secondary robustness check: the 1,347 native [70,20] windows only.
-        "native70": None,
-    }
-
-    results["all2046"] = run_suite("all2046", csi, kps, device)
-    results["native70"] = run_suite("native70", csi[native70], kps[native70], device)
-
-    out = os.path.join(MEASB, "measurement_b.json")
-    with open(out, "w") as f:
-        json.dump(results, f, indent=2)
-    print(f"wrote {out}", flush=True)
-
-
-if __name__ == "__main__":
-    main()

benchmarks/wiflow-std/remote/setup_and_train.sh

@@ -1,33 +0,0 @@
-#!/bin/bash
-set -ex
-cd ~/wiflow-std-bench
-
-# 1. clone upstream at the pinned commit
-if [ ! -d upstream ]; then
-  git clone https://github.com/DY2434/WiFlow-WiFi-Pose-Estimation-with-Spatio-Temporal-Decoupling upstream
-fi
-cd upstream && git checkout 06899d294a0f44709d601a53e91dbf24759daefb && cd ..
-
-# 2. documented deviation: fix upstream import bug (TemporalConvNet does not exist)
-sed -i 's/from .tcn import TemporalConvNet/from .tcn import TemporalBlock/; s/'"'"'TemporalConvNet'"'"'/'"'"'TemporalBlock'"'"'/' upstream/models/__init__.py
-
-# 3. venv: torch cu128 (RTX 5080 = sm_120 needs >=2.7; their pin 2.3.1 predates Blackwell)
-if [ ! -d venv ]; then
-  python3 -m venv venv
-  ./venv/bin/pip install -q --upgrade pip
-  ./venv/bin/pip install -q torch --index-url https://download.pytorch.org/whl/cu128
-  ./venv/bin/pip install -q numpy pandas matplotlib seaborn scikit-learn opencv-python-headless scipy tqdm psutil kagglehub
-fi
-./venv/bin/python -c "import torch; print(torch.__version__, torch.cuda.is_available(), torch.cuda.get_device_name(0))"
-
-# 4. dataset via kagglehub (anonymous, public dataset)
-DS=$(./venv/bin/python -c "import kagglehub; print(kagglehub.dataset_download('kaka2434/wiflow-dataset'))")
-echo "dataset at: $DS"
-
-# 5. run.py hardcodes ../preprocessed_csi_data relative to upstream/
-ln -sfn "$DS/preprocessed_csi_data" ~/wiflow-std-bench/preprocessed_csi_data
-
-# 6. train with upstream defaults (seed 42 set inside run.py)
-../venv/bin/python ../clean_nan.py 2>/dev/null || venv/bin/python clean_nan.py
-cd upstream
-../venv/bin/python run.py --gpu 0 --batch_size 64 --epochs 50 --output_dir ../train_output

benchmarks/wiflow-std/remote/sweep/model_compact.py

@@ -1,332 +0,0 @@
-"""Configurable compact variants of the WiFlow-STD pose model (ADR-152 efficiency sweep).
-
-This is a parameterized copy of upstream models/{pose_model,tcn,convnet,attention}.py
-(DY2434/WiFlow @ 06899d29, Apache-2.0). upstream/ is NOT modified. Deviations from
-upstream, all forced by shrinking channels and documented per variant in run_sweep.py:
-
-1. TCN grouped-conv groups: upstream hardcodes groups=20, which does not divide
-   the compact channel counts (e.g. 270, 135, 85). Rule here:
-   - groups_mode='gcd20': per-conv groups = gcd(channels, 20)  (== 20 wherever
-     upstream's choice is valid, incl. the 540-ch input conv; falls back to the
-     largest common divisor with 20 otherwise).
-   - groups_mode='depthwise': groups = channels (tiny variant only).
-2. Conv2d downsampling strides: upstream uses 4 stride-(1,2) blocks because
-   240/2^4 = 15 == n_keypoints. With smaller TCN output widths that would leave
-   <15 rows and AdaptiveAvgPool2d((15,1)) would duplicate rows across keypoints.
-   Rule: halve the width only while the result stays >= 15 (stride-2 blocks
-   first, stride-1 after). Full model: 240 -> 4 halvings = upstream exactly.
-3. input_pw_groups (tiny only): the dense 540->c pointwise + residual downsample
-   in TCN block 1 cost 2*540*c params (a ~117k floor that alone exceeds the
-   tiny <100k budget). tiny groups these two convs (groups=4; 4 | gcd(540, 68)).
-4. Decoder mid-channels: upstream 64->32; here c_last -> max(c_last // 2, 4).
-"""
-import math
-
-import torch
-import torch.nn as nn
-import torch.nn.functional as F
-
-
-def tcn_groups(channels: int, mode: str) -> int:
-    if mode == 'depthwise':
-        return channels
-    if mode == 'gcd20':
-        return math.gcd(channels, 20)
-    raise ValueError(mode)
-
-
-# ---------------------------------------------------------------- TCN (copy of tcn.py)
-class Chomp1d(nn.Module):
-    def __init__(self, chomp_size):
-        super().__init__()
-        self.chomp_size = chomp_size
-
-    def forward(self, x):
-        return x[:, :, :-self.chomp_size].contiguous()
-
-
-class CompactGroupedTemporalBlock(nn.Module):
-    """Upstream InnerGroupedTemporalBlock with parameterized groups."""
-
-    def __init__(self, n_inputs, n_outputs, kernel_size, stride, dilation, padding,
-                 dropout=0.2, groups_mode='gcd20', pw_groups=1):
-        super().__init__()
-        g_in = tcn_groups(n_inputs, groups_mode)
-        g_out = tcn_groups(n_outputs, groups_mode)
-        self.groups = (g_in, g_out)
-        self.pw_groups = pw_groups
-
-        self.conv1_group = nn.Conv1d(n_inputs, n_inputs, kernel_size, stride=stride,
-                                     padding=padding, dilation=dilation,
-                                     groups=g_in, bias=False)
-        self.chomp1 = Chomp1d(padding) if padding > 0 else nn.Identity()
-        self.bn1_group = nn.BatchNorm1d(n_inputs)
-        self.relu1_group = nn.SiLU(inplace=True)
-
-        self.conv1_pw = nn.Conv1d(n_inputs, n_outputs, 1, groups=pw_groups, bias=False)
-        self.bn1_pw = nn.BatchNorm1d(n_outputs)
-        self.relu1_pw = nn.SiLU(inplace=True)
-        self.dropout1 = nn.Dropout(dropout)
-
-        self.conv2_group = nn.Conv1d(n_outputs, n_outputs, kernel_size, stride=1,
-                                     padding=padding, dilation=dilation,
-                                     groups=g_out, bias=False)
-        self.chomp2 = Chomp1d(padding) if padding > 0 else nn.Identity()
-        self.bn2_group = nn.BatchNorm1d(n_outputs)
-        self.relu2_group = nn.SiLU(inplace=True)
-
-        self.conv2_pw = nn.Conv1d(n_outputs, n_outputs, 1, bias=False)
-        self.bn2_pw = nn.BatchNorm1d(n_outputs)
-        self.relu2_pw = nn.SiLU(inplace=True)
-        self.dropout2 = nn.Dropout(dropout)
-
-        self.downsample = nn.Sequential(
-            nn.Conv1d(n_inputs, n_outputs, 1, groups=pw_groups, bias=False),
-            nn.BatchNorm1d(n_outputs)
-        ) if n_inputs != n_outputs else nn.Identity()
-
-    def forward(self, x):
-        res = self.downsample(x)
-        out = self.conv1_group(x)
-        out = self.chomp1(out)
-        out = self.bn1_group(out)
-        out = self.relu1_group(out)
-        out = self.conv1_pw(out)
-        out = self.bn1_pw(out)
-        out = self.relu1_pw(out)
-        out = self.dropout1(out)
-        out = self.conv2_group(out)
-        out = self.chomp2(out)
-        out = self.bn2_group(out)
-        out = self.relu2_group(out)
-        out = self.conv2_pw(out)
-        out = self.bn2_pw(out)
-        out = self.relu2_pw(out)
-        out = self.dropout2(out)
-        return F.silu(out + res)
-
-
-class CompactTemporalBlock(nn.Module):
-    def __init__(self, num_inputs, num_channels, kernel_size=3, dropout=0.2,
-                 groups_mode='gcd20', input_pw_groups=1):
-        super().__init__()
-        layers = []
-        for i, out_channels in enumerate(num_channels):
-            dilation_size = 2 ** i
-            in_channels = num_inputs if i == 0 else num_channels[i - 1]
-            layers.append(CompactGroupedTemporalBlock(
-                in_channels, out_channels, kernel_size, stride=1,
-                dilation=dilation_size, padding=(kernel_size - 1) * dilation_size,
-                dropout=dropout, groups_mode=groups_mode,
-                pw_groups=input_pw_groups if i == 0 else 1))
-        self.network = nn.Sequential(*layers)
-
-    def forward(self, x):
-        return self.network(x)
-
-
-# ------------------------------------------------------- Conv2d path (copy of convnet.py)
-class AsymmetricConvBlock(nn.Module):
-    """Upstream block with parameterized width stride (upstream: always (1,2))."""
-
-    def __init__(self, in_channels, out_channels, dropout=0.3, stride_w=2):
-        super().__init__()
-        self.block = nn.Sequential(
-            nn.Conv2d(in_channels, out_channels, kernel_size=(1, 3),
-                      stride=(1, stride_w), padding=(0, 1)),
-            nn.BatchNorm2d(out_channels),
-            nn.SiLU(inplace=True),
-            nn.Dropout2d(dropout),
-            nn.Conv2d(out_channels, out_channels, kernel_size=(1, 3), padding=(0, 1)),
-            nn.BatchNorm2d(out_channels),
-            nn.SiLU(inplace=True),
-            nn.Dropout2d(dropout),
-            nn.Conv2d(out_channels, out_channels, kernel_size=(1, 3), padding=(0, 1)),
-            nn.BatchNorm2d(out_channels)
-        )
-        self.downsample = nn.Sequential(
-            nn.Conv2d(in_channels, out_channels, kernel_size=1,
-                      stride=(1, stride_w), bias=False),
-            nn.BatchNorm2d(out_channels)
-        )
-        self.activation = nn.SiLU(inplace=True)
-
-    def forward(self, x):
-        return self.activation(self.block(x) + self.downsample(x))
-
-
-class ConvBlock1(nn.Module):
-    def __init__(self, in_channels, out_channels, dropout=0.3):
-        super().__init__()
-        self.block = nn.Sequential(
-            nn.Conv2d(in_channels, out_channels, kernel_size=(1, 3), padding=(0, 1)),
-            nn.BatchNorm2d(out_channels),
-            nn.SiLU(inplace=True),
-            nn.Dropout2d(dropout),
-            nn.Conv2d(out_channels, out_channels, kernel_size=(1, 3), padding=(0, 1)),
-            nn.BatchNorm2d(out_channels),
-            nn.SiLU(inplace=True),
-            nn.Dropout2d(dropout),
-            nn.Conv2d(out_channels, out_channels, kernel_size=(1, 3), padding=(0, 1)),
-            nn.BatchNorm2d(out_channels)
-        )
-        self.downsample = nn.Sequential(
-            nn.Conv2d(in_channels, out_channels, kernel_size=1, stride=1, bias=False),
-            nn.BatchNorm2d(out_channels)
-        )
-        self.activation = nn.SiLU(inplace=True)
-
-    def forward(self, x):
-        return self.activation(self.block(x) + self.downsample(x))
-
-
-# ----------------------------------------------------- attention (verbatim attention.py)
-class AxialAttention(nn.Module):
-    def __init__(self, in_planes, out_planes, groups=8, stride=1, bias=False, width=False):
-        assert (in_planes % groups == 0) and (out_planes % groups == 0)
-        super().__init__()
-        self.in_planes = in_planes
-        self.out_planes = out_planes
-        self.groups = groups
-        self.group_planes = out_planes // groups
-        self.stride = stride
-        self.bias = bias
-        self.width = width
-        self.qkv_transform = nn.Conv1d(in_planes, out_planes * 3, kernel_size=1,
-                                       stride=1, padding=0, bias=False)
-        self.bn_qkv = nn.BatchNorm1d(out_planes * 3)
-        self.bn_similarity = nn.BatchNorm2d(groups)
-        self.bn_output = nn.BatchNorm1d(out_planes)
-        if stride > 1:
-            self.pooling = nn.AvgPool2d(stride, stride=stride)
-        nn.init.normal_(self.qkv_transform.weight.data, 0, math.sqrt(1. / self.in_planes))
-
-    def forward(self, x):
-        if self.width:
-            x = x.permute(0, 2, 1, 3)
-        else:
-            x = x.permute(0, 3, 1, 2)
-        N, W, C, H = x.shape
-        x = x.contiguous().view(N * W, C, H)
-        qkv = self.bn_qkv(self.qkv_transform(x))
-        qkv = qkv.reshape(N * W, 3, self.out_planes, H).permute(1, 0, 2, 3)
-        q, k, v = qkv[0], qkv[1], qkv[2]
-        q = q.reshape(N * W, self.groups, self.group_planes, H)
-        k = k.reshape(N * W, self.groups, self.group_planes, H)
-        v = v.reshape(N * W, self.groups, self.group_planes, H)
-        qk = torch.einsum('bgci, bgcj->bgij', q, k)
-        qk = self.bn_similarity(qk)
-        similarity = F.softmax(qk, dim=-1)
-        sv = torch.einsum('bgij,bgcj->bgci', similarity, v)
-        sv = sv.reshape(N * W, self.out_planes, H)
-        out = self.bn_output(sv)
-        out = out.view(N, W, self.out_planes, H)
-        if self.width:
-            out = out.permute(0, 2, 1, 3)
-        else:
-            out = out.permute(0, 2, 3, 1)
-        if self.stride > 1:
-            out = self.pooling(out)
-        return out
-
-
-class DualAxialAttention(nn.Module):
-    def __init__(self, in_planes, out_planes, groups=8, stride=1, bias=False):
-        super().__init__()
-        self.width_axis = AxialAttention(in_planes, out_planes, groups, stride, bias, width=True)
-        self.height_axis = AxialAttention(out_planes, out_planes, groups, stride, bias, width=False)
-
-    def forward(self, x):
-        return self.height_axis(self.width_axis(x))
-
-
-# --------------------------------------------------------------- full model
-def compute_strides(width: int, n_blocks: int, target: int = 15):
-    """Halve width while result stays >= target (upstream: 240 -> 4 halvings -> 15)."""
-    strides = []
-    for _ in range(n_blocks):
-        nxt = (width + 1) // 2  # conv k=3 s=2 p=1: out = ceil(in/2)
-        if nxt >= target:
-            strides.append(2)
-            width = nxt
-        else:
-            strides.append(1)
-    return strides, width
-
-
-class CompactWiFlowPoseModel(nn.Module):
-    """Parameterized upstream WiFlowPoseModel.
-
-    Upstream config == tcn_channels=[540,440,340,240], conv_channels=[8,16,32,64],
-    attn_groups=8, groups_mode='gcd20' (gcd(c,20)==20 for all upstream channels),
-    input_pw_groups=1 -> identical architecture, 2,225,042 params.
-    """
-
-    def __init__(self, tcn_channels, conv_channels, attn_groups,
-                 groups_mode='gcd20', input_pw_groups=1, dropout=0.3,
-                 num_subcarriers=540, num_keypoints=15):
-        super().__init__()
-        self.tcn = CompactTemporalBlock(
-            num_inputs=num_subcarriers, num_channels=tcn_channels, kernel_size=3,
-            dropout=dropout, groups_mode=groups_mode, input_pw_groups=input_pw_groups)
-
-        self.up = ConvBlock1(1, conv_channels[0])
-
-        strides, self.final_width = compute_strides(
-            tcn_channels[-1], len(conv_channels), target=num_keypoints)
-        self.conv_strides = strides
-        self.residual_blocks = nn.ModuleList()
-        in_channels = conv_channels[0]
-        for out_channels, s in zip(conv_channels, strides):
-            self.residual_blocks.append(
-                AsymmetricConvBlock(in_channels, out_channels, stride_w=s))
-            in_channels = out_channels
-
-        c_last = conv_channels[-1]
-        self.attention = DualAxialAttention(c_last, c_last, groups=attn_groups)
-
-        c_mid = max(c_last // 2, 4)
-        self.decoder = nn.Sequential(
-            nn.Conv2d(c_last, c_mid, kernel_size=3, padding=1),
-            nn.BatchNorm2d(c_mid),
-            nn.SiLU(inplace=True),
-            nn.Conv2d(c_mid, 2, kernel_size=1),
-            nn.BatchNorm2d(2),
-            nn.SiLU(inplace=True)
-        )
-        self.avg_pool = nn.AdaptiveAvgPool2d((num_keypoints, 1))
-        self._initialize_weights()
-
-    def _initialize_weights(self):
-        for m in self.modules():
-            if isinstance(m, nn.Conv1d):
-                nn.init.kaiming_normal_(m.weight, mode='fan_out', nonlinearity='relu')
-                if m.bias is not None:
-                    nn.init.constant_(m.bias, 0)
-            elif isinstance(m, (nn.BatchNorm1d, nn.LayerNorm)):
-                nn.init.constant_(m.weight, 1)
-                nn.init.constant_(m.bias, 0)
-            elif isinstance(m, nn.Linear):
-                nn.init.xavier_normal_(m.weight)
-                if m.bias is not None:
-                    nn.init.constant_(m.bias, 0)
-
-    def forward(self, x):
-        # [B, 540, 20]
-        x = self.tcn(x)                          # [B, C_tcn, 20]
-        x = x.transpose(1, 2).unsqueeze(1)       # [B, 1, 20, C_tcn]
-        x = self.up(x)
-        for block in self.residual_blocks:
-            x = block(x)                         # [B, C_conv, 20, W']
-        x = x.permute(0, 1, 3, 2)                # [B, C_conv, W', 20]
-        x = self.attention(x)
-        x = self.decoder(x)                      # [B, 2, W', 20]
-        x = self.avg_pool(x).squeeze(-1)         # [B, 2, 15]
-        return x.transpose(1, 2)                 # [B, 15, 2]
-
-
-def describe(model: 'CompactWiFlowPoseModel'):
-    params = sum(p.numel() for p in model.parameters())
-    tcn_g = [blk.groups for blk in model.tcn.network]
-    return {'params': params, 'tcn_groups_per_block': tcn_g,
-            'conv_strides': model.conv_strides, 'final_width': model.final_width}

benchmarks/wiflow-std/remote/sweep/run_sweep.py

@@ -1,278 +0,0 @@
-"""WiFlow-STD compact-variant efficiency sweep (ADR-152) — sequential overnight runner.
-
-Trains compact variants of the upstream WiFlow-STD architecture on the same
-data/split as the full-size reference retraining (seed 42, file-level 70/15/15,
-upstream dataset.py) and evaluates PCK@10..50 + MPJPE on the full test split and
-the corruption-free test subset (file indices < 487).
-
-Training mirrors upstream run.py/train.py defaults except:
-- fp32 only (no fp16 autocast / GradScaler — avoids the BN-poisoning trap
-  documented in RESULTS.md defect 5; data on disk is already cleaned).
-- batch 64 (kept modest: another GPU job may share the 16 GB card tonight).
-- scheduler + early stopping keyed on val MPJPE (upstream early-stops on val MPE
-  with patience 5; same here).
-
-Usage:
-  venv/bin/python sweep/run_sweep.py --dry-run    # param counts only
-  nohup venv/bin/python sweep/run_sweep.py > sweep/sweep.log 2>&1 &
-
-Idempotent: variants already present in sweep/results.jsonl are skipped.
-
-NOTE: deployed to ruvultra (~/wiflow-std-bench/sweep) as a standalone file, so
-it deliberately inlines its helpers. The reference implementations (upstream
-import shim, >1GB np.load mmap patch, key-remap loader, canonical evaluate
-loop) live in benchmarks/wiflow-std/_bench_common.py — keep copies in sync.
-"""
-import argparse
-import copy
-import json
-import os
-import random
-import sys
-import time
-
-import numpy as np
-import torch
-from torch.utils.data import DataLoader, Subset
-
-# csi_windows.npy is ~13 GB; mmap large arrays instead of eagerly loading
-# ~15 GB into RAM (same patch as _bench_common._np_load_mmap).
-_np_load = np.load
-
-
-def _np_load_mmap(path, *a, **kw):
-    if (isinstance(path, str) and path.endswith('.npy')
-            and os.path.getsize(path) > 1 << 30 and 'mmap_mode' not in kw):
-        kw['mmap_mode'] = 'r'
-    return _np_load(path, *a, **kw)
-
-
-np.load = _np_load_mmap
-
-BENCH = os.path.expanduser('~/wiflow-std-bench')
-SWEEP = os.path.join(BENCH, 'sweep')
-sys.path.insert(0, os.path.join(BENCH, 'upstream'))
-sys.path.insert(0, SWEEP)
-
-from dataset import PreprocessedCSIKeypointsDataset, create_preprocessed_train_val_test_loaders  # noqa: E402
-from losses.pose_loss import PoseLoss          # noqa: E402
-from utils.metrics import calculate_pck, calculate_mpjpe  # noqa: E402
-from model_compact import CompactWiFlowPoseModel, describe  # noqa: E402
-
-VARIANTS = [
-    # name, tcn_channels, conv_channels, attn_groups, groups_mode, input_pw_groups
-    dict(name='half',    tcn=[270, 220, 170, 120], conv=[4, 8, 16, 32], attn_groups=4,
-         groups_mode='gcd20', input_pw_groups=1),
-    dict(name='quarter', tcn=[135, 110, 85, 60],   conv=[2, 4, 8, 16],  attn_groups=2,
-         groups_mode='gcd20', input_pw_groups=1),
-    dict(name='tiny',    tcn=[68, 56, 44, 32],     conv=[2, 4, 8, 16],  attn_groups=2,
-         groups_mode='depthwise', input_pw_groups=4),
-]
-
-BATCH = 64
-EPOCHS = 50
-PATIENCE = 5
-LR = 1e-4
-WEIGHT_DECAY = 5e-5
-SEED = 42
-CORRUPT_FILE_START = 487  # files 487-499 were zero-filled by clean_nan.py
-
-
-def set_seed(seed=SEED):
-    random.seed(seed)
-    np.random.seed(seed)
-    torch.manual_seed(seed)
-    torch.cuda.manual_seed_all(seed)
-    torch.backends.cudnn.deterministic = True
-    torch.backends.cudnn.benchmark = False
-
-
-def build_model(v, dropout=0.5):
-    return CompactWiFlowPoseModel(
-        tcn_channels=v['tcn'], conv_channels=v['conv'], attn_groups=v['attn_groups'],
-        groups_mode=v['groups_mode'], input_pw_groups=v['input_pw_groups'],
-        dropout=dropout)
-
-
-@torch.no_grad()
-def evaluate(model, loader, device):
-    model.eval()
-    totals = {t: 0.0 for t in (0.1, 0.2, 0.3, 0.4, 0.5)}
-    total_mpe, n = 0.0, 0
-    for bx, by in loader:
-        bx, by = bx.to(device), by.to(device)
-        out = model(bx)
-        bs = by.size(0)
-        total_mpe += calculate_mpjpe(out, by) * bs
-        pck = calculate_pck(out, by, thresholds=list(totals))
-        for t in totals:
-            totals[t] += pck[t] * bs
-        n += bs
-    return {'samples': n, 'mpjpe': total_mpe / n,
-            **{f'pck@{int(t * 100)}': totals[t] / n for t in totals}}
-
-
-def train_variant(v, dataset, device):
-    set_seed(SEED)
-    train_loader, val_loader, test_loader = create_preprocessed_train_val_test_loaders(
-        dataset=dataset, batch_size=BATCH, num_workers=2, random_seed=SEED)
-
-    set_seed(SEED)  # re-seed after split so init is split-independent
-    model = build_model(v).to(device)
-    info = describe(model)
-    print(f"[{v['name']}] params={info['params']:,} tcn_groups={info['tcn_groups_per_block']} "
-          f"conv_strides={info['conv_strides']} final_width={info['final_width']}", flush=True)
-
-    criterion = PoseLoss(position_weight=1.0, bone_weight=0.2, loss_type='smooth_l1')
-    optimizer = torch.optim.AdamW(model.parameters(), lr=LR, weight_decay=WEIGHT_DECAY,
-                                  betas=(0.9, 0.999))
-    scheduler = torch.optim.lr_scheduler.ReduceLROnPlateau(
-        optimizer, mode='min', factor=0.5, patience=3, min_lr=LR / 1000,
-        cooldown=1, threshold=1e-4)
-
-    best_val_mpe = float('inf')
-    best_val_pck20 = 0.0
-    best_epoch = 0
-    best_state = None
-    patience_counter = 0
-    t0 = time.time()
-    error = None
-    epochs_run = 0
-
-    for epoch in range(1, EPOCHS + 1):
-        model.train()
-        ep_loss, nb = 0.0, 0
-        te = time.time()
-        for i, (bx, by) in enumerate(train_loader):
-            bx = bx.to(device, non_blocking=True)
-            by = by.to(device, non_blocking=True)
-            optimizer.zero_grad(set_to_none=True)
-            out = model(bx)
-            loss, _parts = criterion(out, by)
-            if not torch.isfinite(loss):
-                error = f'non-finite loss at epoch {epoch} step {i}'
-                break
-            loss.backward()
-            optimizer.step()
-            ep_loss += loss.item()
-            nb += 1
-            if epoch == 1 and i % 500 == 0:
-                print(f"[{v['name']}] e1 step {i}/{len(train_loader)} loss={loss.item():.5f}",
-                      flush=True)
-        if error:
-            break
-        epochs_run = epoch
-
-        val = evaluate(model, val_loader, device)
-        scheduler.step(val['mpjpe'])
-        lr_now = optimizer.param_groups[0]['lr']
-        print(f"[{v['name']}] epoch {epoch}/{EPOCHS} train_loss={ep_loss / max(nb, 1):.5f} "
-              f"val_mpjpe={val['mpjpe']:.5f} val_pck20={val['pck@20'] * 100:.2f}% "
-              f"lr={lr_now:.2e} ({time.time() - te:.0f}s)", flush=True)
-
-        if val['mpjpe'] < best_val_mpe:
-            best_val_mpe = val['mpjpe']
-            best_val_pck20 = val['pck@20']
-            best_epoch = epoch
-            best_state = copy.deepcopy(model.state_dict())
-            patience_counter = 0
-        else:
-            patience_counter += 1
-            if patience_counter >= PATIENCE:
-                print(f"[{v['name']}] early stop at epoch {epoch} (best {best_epoch})", flush=True)
-                break
-
-    train_seconds = time.time() - t0
-    result = {
-        'variant': v['name'], 'params': info['params'],
-        'tcn_channels': v['tcn'], 'conv_channels': v['conv'],
-        'attn_groups': v['attn_groups'], 'groups_mode': v['groups_mode'],
-        'input_pw_groups': v['input_pw_groups'],
-        'tcn_groups_per_block': info['tcn_groups_per_block'],
-        'conv_strides': info['conv_strides'], 'final_width': info['final_width'],
-        'batch_size': BATCH, 'max_epochs': EPOCHS, 'patience': PATIENCE,
-        'lr': LR, 'weight_decay': WEIGHT_DECAY, 'seed': SEED, 'precision': 'fp32',
-        'epochs_run': epochs_run, 'best_epoch': best_epoch,
-        'best_val_mpjpe': best_val_mpe if best_state else None,
-        'best_val_pck20': best_val_pck20 if best_state else None,
-        'train_seconds': round(train_seconds, 1),
-        'torch': torch.__version__, 'error': error,
-        'finished_utc': time.strftime('%Y-%m-%dT%H:%M:%SZ', time.gmtime()),
-    }
-
-    if best_state is not None:
-        ckpt = os.path.join(SWEEP, f"{v['name']}_best.pth")
-        torch.save(best_state, ckpt)
-        result['checkpoint'] = ckpt
-        model.load_state_dict(best_state)
-
-        eval_loader = DataLoader(test_loader.dataset, batch_size=256, shuffle=False,
-                                 num_workers=2)
-        result['test_full'] = evaluate(model, eval_loader, device)
-
-        w2f = dataset.window_to_file
-        clean_idx = [i for i in test_loader.dataset.indices if w2f[i] < CORRUPT_FILE_START]
-        clean_loader = DataLoader(Subset(dataset, clean_idx), batch_size=256,
-                                  shuffle=False, num_workers=2)
-        result['test_clean'] = evaluate(model, clean_loader, device)
-        print(f"[{v['name']}] TEST clean: pck20={result['test_clean']['pck@20'] * 100:.2f}% "
-              f"mpjpe={result['test_clean']['mpjpe']:.5f} | full: "
-              f"pck20={result['test_full']['pck@20'] * 100:.2f}%", flush=True)
-    return result
-
-
-def main():
-    ap = argparse.ArgumentParser()
-    ap.add_argument('--dry-run', action='store_true', help='print param counts and exit')
-    args = ap.parse_args()
-
-    if args.dry_run:
-        for v in VARIANTS:
-            m = build_model(v)
-            info = describe(m)
-            x = torch.randn(2, 540, 20)
-            m.eval()
-            y = m(x)
-            print(f"{v['name']:8s} params={info['params']:>9,} "
-                  f"tcn={v['tcn']} conv={v['conv']} attn_g={v['attn_groups']} "
-                  f"mode={v['groups_mode']} pw_g={v['input_pw_groups']} "
-                  f"tcn_groups={info['tcn_groups_per_block']} strides={info['conv_strides']} "
-                  f"W'={info['final_width']} out={tuple(y.shape)}")
-        return
-
-    results_path = os.path.join(SWEEP, 'results.jsonl')
-    done = set()
-    if os.path.exists(results_path):
-        with open(results_path) as f:
-            for line in f:
-                try:
-                    done.add(json.loads(line)['variant'])
-                except Exception:
-                    pass
-
-    device = torch.device('cuda')
-    print(f"torch {torch.__version__} on {torch.cuda.get_device_name(0)}", flush=True)
-    data_dir = os.path.join(BENCH, 'preprocessed_csi_data')
-    dataset = PreprocessedCSIKeypointsDataset(data_dir=data_dir, keypoint_scale=1000.0,
-                                              enable_temporal_clean=True)
-
-    for v in VARIANTS:
-        if v['name'] in done:
-            print(f"[{v['name']}] already in results.jsonl — skipping", flush=True)
-            continue
-        print(f"\n===== variant: {v['name']} =====", flush=True)
-        try:
-            result = train_variant(v, dataset, device)
-        except Exception as e:  # record and move on to next variant
-            import traceback
-            traceback.print_exc()
-            result = {'variant': v['name'], 'error': repr(e),
-                      'finished_utc': time.strftime('%Y-%m-%dT%H:%M:%SZ', time.gmtime())}
-        with open(results_path, 'a') as f:
-            f.write(json.dumps(result) + '\n')
-            f.flush()
-    print('\nSWEEP COMPLETE', flush=True)
-
-
-if __name__ == '__main__':
-    main()

benchmarks/wiflow-std/results/edge_optimization.json

@@ -1,772 +0,0 @@
-{
-  "torch": {
-    "env": {
-      "torch": "2.12.0+cpu",
-      "platform": "Windows-11-10.0.26200-SP0",
-      "processor": "Intel64 Family 6 Model 197 Stepping 2, GenuineIntel",
-      "num_threads": 16,
-      "checkpoint": "results\\retrained_best_pose_model.pth",
-      "params": 2225042
-    },
-    "variants": {
-      "fp32": {
-        "file": "retrained_fp32_resaved.pth",
-        "size_bytes": 9068948,
-        "size_mb": 9.068948,
-        "latency_batch1": {
-          "batch_size": 1,
-          "runs": 100,
-          "median_ms_per_batch": 24.903650000851485,
-          "median_ms_per_window": 24.903650000851485,
-          "windows_per_second": 40.15475642991324
-        },
-        "latency_batch64": {
-          "batch_size": 64,
-          "runs": 30,
-          "median_ms_per_batch": 184.02919999789447,
-          "median_ms_per_window": 2.875456249967101,
-          "windows_per_second": 347.77089723115813
-        },
-        "accuracy": {
-          "samples": 10000,
-          "pck@20": 0.9668200004577636,
-          "pck@50": 0.9915333324432373,
-          "mpjpe": 0.00936222033649683,
-          "wall_seconds": 37.85407733917236
-        }
-      },
-      "fp16": {
-        "file": "retrained_fp16.pth",
-        "size_bytes": 4580332,
-        "size_mb": 4.580332,
-        "latency_batch1": {
-          "batch_size": 1,
-          "runs": 100,
-          "median_ms_per_batch": 23.936699999467237,
-          "median_ms_per_window": 23.936699999467237,
-          "windows_per_second": 41.776853117691964
-        },
-        "latency_batch64": {
-          "batch_size": 64,
-          "runs": 30,
-          "median_ms_per_batch": 102.32584999903338,
-          "median_ms_per_window": 1.5988414062348966,
-          "windows_per_second": 625.4529036465817
-        },
-        "accuracy": {
-          "samples": 10000,
-          "pck@20": 0.966773332977295,
-          "pck@50": 0.9915066654205322,
-          "mpjpe": 0.009460017587244511,
-          "wall_seconds": 21.632277250289917
-        }
-      },
-      "int8_dynamic": {
-        "file": "retrained_int8_dynamic.pth",
-        "size_bytes": 9068948,
-        "size_mb": 9.068948,
-        "latency_batch1": {
-          "batch_size": 1,
-          "runs": 100,
-          "median_ms_per_batch": 18.105350000041653,
-          "median_ms_per_window": 18.105350000041653,
-          "windows_per_second": 55.23229321707117
-        },
-        "latency_batch64": {
-          "batch_size": 64,
-          "runs": 30,
-          "median_ms_per_batch": 168.77549999844632,
-          "median_ms_per_window": 2.6371171874757238,
-          "windows_per_second": 379.20195763359703
-        },
-        "accuracy": {
-          "samples": 10000,
-          "pck@20": 0.9668200004577636,
-          "pck@50": 0.9915333324432373,
-          "mpjpe": 0.00936222033649683,
-          "wall_seconds": 45.35376596450806
-        }
-      }
-    },
-    "int8_dynamic_quant_report": {
-      "eligible_module_counts": {
-        "nn.Linear": 0,
-        "nn.Conv1d": 21,
-        "nn.Conv2d": 22
-      },
-      "modules_actually_quantized": [],
-      "n_modules_quantized": 0,
-      "params_total": 2225042,
-      "params_quantized": 0,
-      "params_quantized_fraction": 0.0
-    },
-    "accuracy_subset": {
-      "description": "seed-42 file-level 70/15/15 test split, corrupted windows (files 487-499) excluded, seed-42 random subset",
-      "subset_size": 10000,
-      "clean_test_total": 10000
-    }
-  },
-  "onnx": {
-    "env": {
-      "torch": "2.12.0+cpu",
-      "onnxruntime": "1.26.0",
-      "platform": "Windows-11-10.0.26200-SP0"
-    },
-    "export": {
-      "mode": "dynamic-batch",
-      "exporter": "torchscript",
-      "file": "retrained_fp32_dynamic.onnx",
-      "size_mb": 8.971781
-    },
-    "parity": {
-      "fixture": "results/parity_fixture.npz (batch 2, seed 42)",
-      "max_abs_diff_vs_stored_fixture": 2.384185791015625e-07,
-      "max_abs_diff_vs_torch_now": 2.384185791015625e-07,
-      "pass_lt_1e-4": true
-    },
-    "latency": {
-      "batch1": {
-        "batch_size": 1,
-        "runs": 100,
-        "median_ms_per_batch": 2.5410999987798277,
-        "median_ms_per_window": 2.5410999987798277,
-        "windows_per_second": 393.5303610563043
-      },
-      "batch64": {
-        "batch_size": 64,
-        "runs": 30,
-        "median_ms_per_batch": 181.95204999938142,
-        "median_ms_per_window": 2.8430007812403346,
-        "windows_per_second": 351.7410218803118
-      }
-    },
-    "ort_int8_dynamic_supplementary": {
-      "file": "retrained_int8_ort_dynamic.onnx",
-      "size_mb": 2.438794,
-      "runs": true,
-      "max_abs_diff_vs_fp32_fixture": 0.00827130675315857
-    }
-  },
-  "onnx_accuracy": {
-    "onnx_fp32": {
-      "samples": 10000,
-      "pck@20": 0.9668200004577636,
-      "pck@50": 0.9915333324432373,
-      "mpjpe": 0.00936222568154335,
-      "wall_seconds": 22.34790802001953
-    },
-    "onnx_int8_ort_dynamic": {
-      "samples": 10000,
-      "pck@20": 0.965240001964569,
-      "pck@50": 0.9915466655731201,
-      "mpjpe": 0.01108054072111845,
-      "wall_seconds": 55.742953062057495
-    }
-  },
-  "latency_controlled_rerun": {
-    "note": "3 interleaved repetitions per variant, median ms/window; quiet box",
-    "fp32": {
-      "batch1_ms_per_window_median": 10.969150001983508,
-      "batch1_reps": [
-        10.969150001983508,
-        12.646450000829645,
-        10.49820000116597
-      ],
-      "batch64_ms_per_window_median": 2.2734187500077496,
-      "batch64_reps": [
-        2.377234374989712,
-        2.124126562478068,
-        2.2734187500077496
-      ]
-    },
-    "fp16": {
-      "batch1_ms_per_window_median": 24.313550000442774,
-      "batch1_reps": [
-        25.1078499986761,
-        21.856999999727122,
-        24.313550000442774
-      ],
-      "batch64_ms_per_window_median": 2.414695312495496,
-      "batch64_reps": [
-        2.5705156249955508,
-        1.7137437499741281,
-        2.414695312495496
-      ]
-    },
-    "int8_dynamic": {
-      "batch1_ms_per_window_median": 15.627150000000256,
-      "batch1_reps": [
-        17.67525000104797,
-        14.627999998992891,
-        15.627150000000256
-      ],
-      "batch64_ms_per_window_median": 2.0546906250160646,
-      "batch64_reps": [
-        2.0546906250160646,
-        2.03407343752815,
-        2.9325796875241394
-      ]
-    },
-    "onnx_fp32": {
-      "batch1_ms_per_window_median": 3.186650001225644,
-      "batch1_reps": [
-        2.7332500012562377,
-        3.1995500012271805,
-        3.186650001225644
-      ],
-      "batch64_ms_per_window_median": 1.9893374999924163,
-      "batch64_reps": [
-        1.5590843750032946,
-        1.9893374999924163,
-        2.2144343749914697
-      ]
-    },
-    "onnx_int8_ort_dynamic": {
-      "batch1_ms_per_window_median": 6.50984999811044,
-      "batch1_reps": [
-        6.50984999811044,
-        6.455249998907675,
-        6.789299999581999
-      ],
-      "batch64_ms_per_window_median": 5.770093750015803,
-      "batch64_reps": [
-        5.770093750015803,
-        3.912374999970325,
-        7.8067296875019565
-      ]
-    }
-  },
-  "onnx_static_ptq": {
-    "env": {
-      "onnxruntime": "1.26.0",
-      "torch": "2.12.0+cpu",
-      "platform": "Windows-11-10.0.26200-SP0",
-      "source_model": "retrained_fp32_dynamic.onnx",
-      "preprocessed_model": {
-        "file": "retrained_fp32_preproc.onnx",
-        "size_mb": 8.981529
-      }
-    },
-    "variants": {
-      "minmax_all": {
-        "file": "retrained_int8_static_minmax_all.onnx",
-        "size_bytes": 2604286,
-        "size_mb": 2.604286,
-        "calibration": {
-          "method": "minmax",
-          "windows": 1000,
-          "percentile": null,
-          "seconds": 5.052440166473389
-        },
-        "scope": "all",
-        "per_channel": true,
-        "activation_type": "QInt8",
-        "weight_type": "QInt8",
-        "node_counts": {
-          "Add": 9,
-          "AveragePool": 1,
-          "BatchNormalization": 12,
-          "Concat": 10,
-          "Conv": 43,
-          "DequantizeLinear": 283,
-          "Einsum": 4,
-          "Gather": 16,
-          "Mul": 39,
-          "QuantizeLinear": 181,
-          "Reshape": 14,
-          "Shape": 2,
-          "Sigmoid": 37,
-          "Slice": 8,
-          "Softmax": 2,
-          "Squeeze": 1,
-          "Transpose": 7,
-          "Unsqueeze": 11
-        },
-        "max_abs_diff_vs_fp32_fixture": 0.015945255756378174,
-        "accuracy": {
-          "samples": 10000,
-          "pck@20": 0.9545266661643982,
-          "pck@50": 0.9913666645050049,
-          "mpjpe": 0.014860070134699345,
-          "wall_seconds": 43.455235958099365
-        }
-      },
-      "minmax_conv": {
-        "file": "retrained_int8_static_minmax_conv.onnx",
-        "size_bytes": 2527421,
-        "size_mb": 2.527421,
-        "calibration": {
-          "method": "minmax",
-          "windows": 1000,
-          "percentile": null,
-          "seconds": 4.380746126174927
-        },
-        "scope": "conv",
-        "per_channel": true,
-        "activation_type": "QInt8",
-        "weight_type": "QInt8",
-        "node_counts": {
-          "Add": 9,
-          "AveragePool": 1,
-          "BatchNormalization": 12,
-          "Concat": 10,
-          "Conv": 43,
-          "DequantizeLinear": 156,
-          "Einsum": 4,
-          "Gather": 16,
-          "Mul": 39,
-          "QuantizeLinear": 78,
-          "Reshape": 14,
-          "Shape": 2,
-          "Sigmoid": 37,
-          "Slice": 8,
-          "Softmax": 2,
-          "Squeeze": 1,
-          "Transpose": 7,
-          "Unsqueeze": 11
-        },
-        "max_abs_diff_vs_fp32_fixture": 0.010693132877349854,
-        "accuracy": {
-          "samples": 10000,
-          "pck@20": 0.9663399996757507,
-          "pck@50": 0.9918666641235352,
-          "mpjpe": 0.01084446222037077,
-          "wall_seconds": 35.937947034835815
-        }
-      },
-      "entropy_all": {
-        "file": "retrained_int8_static_entropy_all.onnx",
-        "size_bytes": 2604268,
-        "size_mb": 2.604268,
-        "calibration": {
-          "method": "entropy",
-          "windows": 512,
-          "percentile": null,
-          "seconds": 23.835066318511963
-        },
-        "scope": "all",
-        "per_channel": true,
-        "activation_type": "QInt8",
-        "weight_type": "QInt8",
-        "node_counts": {
-          "Add": 9,
-          "AveragePool": 1,
-          "BatchNormalization": 12,
-          "Concat": 10,
-          "Conv": 43,
-          "DequantizeLinear": 283,
-          "Einsum": 4,
-          "Gather": 16,
-          "Mul": 39,
-          "QuantizeLinear": 181,
-          "Reshape": 14,
-          "Shape": 2,
-          "Sigmoid": 37,
-          "Slice": 8,
-          "Softmax": 2,
-          "Squeeze": 1,
-          "Transpose": 7,
-          "Unsqueeze": 11
-        },
-        "max_abs_diff_vs_fp32_fixture": 0.015280365943908691,
-        "accuracy": {
-          "samples": 10000,
-          "pck@20": 0.9530466662406921,
-          "pck@50": 0.9912600006103516,
-          "mpjpe": 0.015098519864678382,
-          "wall_seconds": 51.514281034469604
-        }
-      },
-      "entropy_conv": {
-        "file": "retrained_int8_static_entropy_conv.onnx",
-        "size_bytes": 2527403,
-        "size_mb": 2.527403,
-        "calibration": {
-          "method": "entropy",
-          "windows": 512,
-          "percentile": null,
-          "seconds": 9.634419918060303
-        },
-        "scope": "conv",
-        "per_channel": true,
-        "activation_type": "QInt8",
-        "weight_type": "QInt8",
-        "node_counts": {
-          "Add": 9,
-          "AveragePool": 1,
-          "BatchNormalization": 12,
-          "Concat": 10,
-          "Conv": 43,
-          "DequantizeLinear": 156,
-          "Einsum": 4,
-          "Gather": 16,
-          "Mul": 39,
-          "QuantizeLinear": 78,
-          "Reshape": 14,
-          "Shape": 2,
-          "Sigmoid": 37,
-          "Slice": 8,
-          "Softmax": 2,
-          "Squeeze": 1,
-          "Transpose": 7,
-          "Unsqueeze": 11
-        },
-        "max_abs_diff_vs_fp32_fixture": 0.012535125017166138,
-        "accuracy": {
-          "samples": 10000,
-          "pck@20": 0.9659599989891052,
-          "pck@50": 0.9918666648864746,
-          "mpjpe": 0.010778637571632861,
-          "wall_seconds": 41.01180171966553
-        }
-      },
-      "percentile_all": {
-        "file": "retrained_int8_static_percentile_all.onnx",
-        "size_bytes": 2604052,
-        "size_mb": 2.604052,
-        "calibration": {
-          "method": "percentile",
-          "windows": 512,
-          "percentile": 99.99,
-          "seconds": 20.221954584121704
-        },
-        "scope": "all",
-        "per_channel": true,
-        "activation_type": "QInt8",
-        "weight_type": "QInt8",
-        "node_counts": {
-          "Add": 9,
-          "AveragePool": 1,
-          "BatchNormalization": 12,
-          "Concat": 10,
-          "Conv": 43,
-          "DequantizeLinear": 283,
-          "Einsum": 4,
-          "Gather": 16,
-          "Mul": 39,
-          "QuantizeLinear": 181,
-          "Reshape": 14,
-          "Shape": 2,
-          "Sigmoid": 37,
-          "Slice": 8,
-          "Softmax": 2,
-          "Squeeze": 1,
-          "Transpose": 7,
-          "Unsqueeze": 11
-        },
-        "max_abs_diff_vs_fp32_fixture": 0.017689883708953857,
-        "accuracy": {
-          "samples": 10000,
-          "pck@20": 0.9639333323478698,
-          "pck@50": 0.9916799991607667,
-          "mpjpe": 0.012176512064039708,
-          "wall_seconds": 49.365190744400024
-        }
-      },
-      "percentile_conv": {
-        "file": "retrained_int8_static_percentile_conv.onnx",
-        "size_bytes": 2527241,
-        "size_mb": 2.527241,
-        "calibration": {
-          "method": "percentile",
-          "windows": 512,
-          "percentile": 99.99,
-          "seconds": 8.223475694656372
-        },
-        "scope": "conv",
-        "per_channel": true,
-        "activation_type": "QInt8",
-        "weight_type": "QInt8",
-        "node_counts": {
-          "Add": 9,
-          "AveragePool": 1,
-          "BatchNormalization": 12,
-          "Concat": 10,
-          "Conv": 43,
-          "DequantizeLinear": 156,
-          "Einsum": 4,
-          "Gather": 16,
-          "Mul": 39,
-          "QuantizeLinear": 78,
-          "Reshape": 14,
-          "Shape": 2,
-          "Sigmoid": 37,
-          "Slice": 8,
-          "Softmax": 2,
-          "Squeeze": 1,
-          "Transpose": 7,
-          "Unsqueeze": 11
-        },
-        "max_abs_diff_vs_fp32_fixture": 0.014725983142852783,
-        "accuracy": {
-          "samples": 10000,
-          "pck@20": 0.9660599988937378,
-          "pck@50": 0.9916066654205322,
-          "mpjpe": 0.010310938355326652,
-          "wall_seconds": 36.89548587799072
-        }
-      }
-    },
-    "latency": {
-      "note": "3 interleaved repetitions per variant, median ms/window; onnx_fp32 / onnx_int8_ort_dynamic are same-session references",
-      "onnx_fp32": {
-        "batch1_reps": [
-          4.5327999996516155,
-          2.535649999117595,
-          2.167549997466267
-        ],
-        "batch64_reps": [
-          1.9354515624740998,
-          2.4948054687854437,
-          1.9334703125082342
-        ],
-        "batch1_ms_per_window_median": 2.535649999117595,
-        "batch64_ms_per_window_median": 1.9354515624740998
-      },
-      "onnx_int8_ort_dynamic": {
-        "batch1_reps": [
-          5.698599999959697,
-          5.721350000385428,
-          4.805099997611251
-        ],
-        "batch64_reps": [
-          4.096601562508795,
-          4.857628124995017,
-          4.583800000006022
-        ],
-        "batch1_ms_per_window_median": 5.698599999959697,
-        "batch64_ms_per_window_median": 4.583800000006022
-      },
-      "entropy_all": {
-        "batch1_reps": [
-          6.444149999879301,
-          5.038299999796436,
-          5.713200000172947
-        ],
-        "batch64_reps": [
-          4.149468750028973,
-          3.437125000004926,
-          4.410960937491382
-        ],
-        "batch1_ms_per_window_median": 5.713200000172947,
-        "batch64_ms_per_window_median": 4.149468750028973
-      },
-      "entropy_conv": {
-        "batch1_reps": [
-          4.874750000453787,
-          5.169099998965976,
-          5.236699998931726
-        ],
-        "batch64_reps": [
-          3.010160156236452,
-          3.1175546875203963,
-          3.516850781238645
-        ],
-        "batch1_ms_per_window_median": 5.169099998965976,
-        "batch64_ms_per_window_median": 3.1175546875203963
-      },
-      "percentile_all": {
-        "batch1_reps": [
-          5.184749999898486,
-          5.2898499998264015,
-          5.916899999647285
-        ],
-        "batch64_reps": [
-          4.305105468745296,
-          4.460741406262514,
-          4.184502343747454
-        ],
-        "batch1_ms_per_window_median": 5.2898499998264015,
-        "batch64_ms_per_window_median": 4.305105468745296
-      },
-      "percentile_conv": {
-        "batch1_reps": [
-          4.916449999655015,
-          7.150899999032845,
-          5.284949998895172
-        ],
-        "batch64_reps": [
-          3.855813281262499,
-          4.688969531230214,
-          5.220103124997877
-        ],
-        "batch1_ms_per_window_median": 5.284949998895172,
-        "batch64_ms_per_window_median": 4.688969531230214
-      },
-      "minmax_all": {
-        "batch1_reps": [
-          6.463300000177696,
-          7.149449998905766,
-          5.3209000016067876
-        ],
-        "batch64_reps": [
-          3.9251343750095202,
-          4.033442187505898,
-          3.428199218745931
-        ],
-        "batch1_ms_per_window_median": 6.463300000177696,
-        "batch64_ms_per_window_median": 3.9251343750095202
-      },
-      "minmax_conv": {
-        "batch1_reps": [
-          5.9961499991914025,
-          5.236549999608542,
-          4.854399998293957
-        ],
-        "batch64_reps": [
-          4.368359375007458,
-          3.249617187492504,
-          3.0238906249735464
-        ],
-        "batch1_ms_per_window_median": 5.236549999608542,
-        "batch64_ms_per_window_median": 3.249617187492504
-      }
-    },
-    "accuracy_subset": {
-      "description": "seed-42 file-level 70/15/15 test split, corrupted windows excluded, seed-42 random subset (same as quantize_bench/eval_ort_accuracy)",
-      "subset_size": 10000
-    }
-  },
-  "tiny_variant": {
-    "env": {
-      "torch": "2.12.0+cpu",
-      "onnxruntime": "1.26.0",
-      "platform": "Windows-11-10.0.26200-SP0",
-      "num_threads": 16,
-      "checkpoint": "results\\tiny_best.pth",
-      "checkpoint_size_bytes": 340555,
-      "params": 56290,
-      "variant_config": {
-        "tcn": [
-          68,
-          56,
-          44,
-          32
-        ],
-        "conv": [
-          2,
-          4,
-          8,
-          16
-        ],
-        "attn_groups": 2,
-        "groups_mode": "depthwise",
-        "input_pw_groups": 4
-      }
-    },
-    "export": {
-      "mode": "dynamic-batch",
-      "exporter": "torchscript",
-      "opset": 17,
-      "file": "tiny_fp32_dynamic.onnx",
-      "size_bytes": 295279,
-      "size_mb": 0.295279,
-      "verified_batches": [
-        1,
-        2,
-        64
-      ],
-      "note": "AdaptiveAvgPool2d((15,1)) replaced at export by an exact mean(-1) + constant averaging matmul (final_width 16 is not a multiple of 15, which the TorchScript exporter rejects); exactness proven by the parity check vs the original torch model"
-    },
-    "parity": {
-      "fixture": "results/parity_fixture.npz input (batch 2, seed 42); reference output recomputed with the tiny torch model",
-      "max_abs_diff_vs_torch": 1.4901161193847656e-07,
-      "pass_lt_1e-4": true
-    },
-    "int8_static_percentile_conv": {
-      "file": "tiny_int8_static_percentile_conv.onnx",
-      "size_bytes": 248278,
-      "size_mb": 0.248278,
-      "calibration": {
-        "method": "percentile",
-        "percentile": 99.99,
-        "windows": 512,
-        "scope": "conv-only TRAIN-split corruption-free",
-        "seconds": 1.5347836017608643
-      },
-      "per_channel": true,
-      "activation_type": "QInt8",
-      "weight_type": "QInt8",
-      "max_abs_diff_vs_fp32_fixture": 0.018491357564926147
-    },
-    "latency": {
-      "note": "3 interleaved repetitions per variant, median ms/window; full-model sessions are same-session references",
-      "tiny_onnx_fp32": {
-        "batch1_reps": [
-          0.6312500008789357,
-          0.6834500018157996,
-          0.6595999984710943
-        ],
-        "batch64_reps": [
-          0.37747578119251557,
-          0.24196640623586063,
-          0.2314671875183194
-        ],
-        "batch1_ms_per_window_median": 0.6595999984710943,
-        "batch64_ms_per_window_median": 0.24196640623586063
-      },
-      "tiny_onnx_int8_static_percentile_conv": {
-        "batch1_reps": [
-          0.7988500001374632,
-          0.9382499993080273,
-          0.8451000030618161
-        ],
-        "batch64_reps": [
-          0.9211476562995813,
-          1.3045390625165965,
-          1.026230468767153
-        ],
-        "batch1_ms_per_window_median": 0.8451000030618161,
-        "batch64_ms_per_window_median": 1.026230468767153
-      },
-      "full_onnx_fp32_reference": {
-        "batch1_reps": [
-          2.267249998112675,
-          2.80170000041835,
-          2.132149998942623
-        ],
-        "batch64_reps": [
-          1.3050578124875756,
-          1.4244992187855132,
-          1.8014164062947202
-        ],
-        "batch1_ms_per_window_median": 2.267249998112675,
-        "batch64_ms_per_window_median": 1.4244992187855132
-      },
-      "full_onnx_int8_static_percentile_conv_reference": {
-        "batch1_reps": [
-          5.529599999135826,
-          4.768399998283712,
-          6.215800000063609
-        ],
-        "batch64_reps": [
-          3.815724218725336,
-          3.1025562500417436,
-          4.333318749957016
-        ],
-        "batch1_ms_per_window_median": 5.529599999135826,
-        "batch64_ms_per_window_median": 3.815724218725336
-      }
-    },
-    "accuracy_subset": {
-      "description": "seed-42 file-level 70/15/15 test split, corrupted windows excluded, seed-42 random subset (same as quantize_bench/eval_ort_accuracy/static_ptq_bench)",
-      "subset_size": 10000
-    },
-    "accuracy": {
-      "tiny_onnx_fp32": {
-        "samples": 10000,
-        "pck@20": 0.941106667804718,
-        "pck@50": 0.99369333152771,
-        "mpjpe": 0.012527281279861927,
-        "wall_seconds": 10.927234888076782
-      },
-      "tiny_onnx_int8_static_percentile_conv": {
-        "samples": 10000,
-        "pck@20": 0.9268133331298828,
-        "pck@50": 0.9932933319091797,
-        "mpjpe": 0.014906252065300942,
-        "wall_seconds": 12.320892333984375
-      }
-    }
-  }
-}

benchmarks/wiflow-std/results/efficiency_sweep.jsonl

@@ -1,3 +0,0 @@
-{"variant": "half", "params": 843834, "tcn_channels": [270, 220, 170, 120], "conv_channels": [4, 8, 16, 32], "attn_groups": 4, "groups_mode": "gcd20", "input_pw_groups": 1, "tcn_groups_per_block": [[20, 10], [10, 20], [20, 10], [10, 20]], "conv_strides": [2, 2, 2, 1], "final_width": 15, "batch_size": 64, "max_epochs": 50, "patience": 5, "lr": 0.0001, "weight_decay": 5e-05, "seed": 42, "precision": "fp32", "epochs_run": 28, "best_epoch": 23, "best_val_mpjpe": 0.008576328293592842, "best_val_pck20": 0.9690593021534107, "train_seconds": 1346.4, "torch": "2.11.0+cu128", "error": null, "finished_utc": "2026-06-11T03:09:47Z", "checkpoint": "/home/ruvultra/wiflow-std-bench/sweep/half_best.pth", "test_full": {"samples": 54000, "mpjpe": 0.009419974447676428, "pck@10": 0.8740543655289544, "pck@20": 0.9610469643628156, "pck@30": 0.9813556064146537, "pck@40": 0.9896086878246731, "pck@50": 0.9934827546013726}, "test_clean": {"samples": 52560, "mpjpe": 0.008980081718602137, "pck@10": 0.8840944136840205, "pck@20": 0.9662253179869514, "pck@30": 0.9847971080282144, "pck@40": 0.9917795997050618, "pck@50": 0.9946956242600532}}
-{"variant": "quarter", "params": 338600, "tcn_channels": [135, 110, 85, 60], "conv_channels": [2, 4, 8, 16], "attn_groups": 2, "groups_mode": "gcd20", "input_pw_groups": 1, "tcn_groups_per_block": [[20, 5], [5, 10], [10, 5], [5, 20]], "conv_strides": [2, 2, 1, 1], "final_width": 15, "batch_size": 64, "max_epochs": 50, "patience": 5, "lr": 0.0001, "weight_decay": 5e-05, "seed": 42, "precision": "fp32", "epochs_run": 50, "best_epoch": 50, "best_val_mpjpe": 0.008780752391864856, "best_val_pck20": 0.9672531302240159, "train_seconds": 1754.4, "torch": "2.11.0+cu128", "error": null, "finished_utc": "2026-06-11T03:39:06Z", "checkpoint": "/home/ruvultra/wiflow-std-bench/sweep/quarter_best.pth", "test_full": {"samples": 54000, "mpjpe": 0.009705399298005634, "pck@10": 0.8646123917014511, "pck@20": 0.9553815319449813, "pck@30": 0.979827209190086, "pck@40": 0.9887037501511751, "pck@50": 0.9931309027671814}, "test_clean": {"samples": 52560, "mpjpe": 0.009279253277105465, "pck@10": 0.8742288637923323, "pck@20": 0.9605315079427745, "pck@30": 0.9833016723076865, "pck@40": 0.9908206971631566, "pck@50": 0.9942719799017071}}
-{"variant": "tiny", "params": 56290, "tcn_channels": [68, 56, 44, 32], "conv_channels": [2, 4, 8, 16], "attn_groups": 2, "groups_mode": "depthwise", "input_pw_groups": 4, "tcn_groups_per_block": [[540, 68], [68, 56], [56, 44], [44, 32]], "conv_strides": [2, 1, 1, 1], "final_width": 16, "batch_size": 64, "max_epochs": 50, "patience": 5, "lr": 0.0001, "weight_decay": 5e-05, "seed": 42, "precision": "fp32", "epochs_run": 50, "best_epoch": 47, "best_val_mpjpe": 0.012602971208592256, "best_val_pck20": 0.9397210340146666, "train_seconds": 1540.1, "torch": "2.11.0+cu128", "error": null, "finished_utc": "2026-06-11T04:04:50Z", "checkpoint": "/home/ruvultra/wiflow-std-bench/sweep/tiny_best.pth", "test_full": {"samples": 54000, "mpjpe": 0.012859782406853305, "pck@10": 0.7640358444319831, "pck@20": 0.9364815320968628, "pck@30": 0.9731568422317505, "pck@40": 0.9866444962642811, "pck@50": 0.992488939108672}, "test_clean": {"samples": 52560, "mpjpe": 0.012502924276904246, "pck@10": 0.770895526488985, "pck@20": 0.9411073559313967, "pck@30": 0.9764840687790962, "pck@40": 0.9886695077067278, "pck@50": 0.9936238432039409}}

benchmarks/wiflow-std/results/eval_retrained.json

@@ -1,21 +0,0 @@
-{
-  "checkpoint": "/home/ruvultra/wiflow-std-bench/upstream/test/best_pose_model.pth",
-  "test_full": {
-    "samples": 54000,
-    "mpjpe": 0.009834060806367133,
-    "pck@10": 0.8686346120127925,
-    "pck@20": 0.9608815324571398,
-    "pck@30": 0.9789111610695168,
-    "pck@40": 0.9857975759682832,
-    "pck@50": 0.9898827553325229
-  },
-  "test_clean": {
-    "samples": 52560,
-    "mpjpe": 0.009432755044379373,
-    "pck@10": 0.876996495807189,
-    "pck@20": 0.9661454100405608,
-    "pck@30": 0.9823453060205306,
-    "pck@40": 0.987909734176537,
-    "pck@50": 0.9911238361167036
-  }
-}

benchmarks/wiflow-std/results/repro_a.json

@@ -1,32 +0,0 @@
-{
-  "published": {
-    "pck@20": 0.9725,
-    "pck@30": 0.9863,
-    "pck@40": 0.9916,
-    "pck@50": 0.9948,
-    "mpjpe": 0.007
-  },
-  "params_millions": 2.225042,
-  "data_dir": "C:\\Users\\ruv\\.cache\\kagglehub\\datasets\\kaka2434\\wiflow-dataset\\versions\\1\\preprocessed_csi_data",
-  "device": "cpu",
-  "test_full": {
-    "samples": 54000,
-    "mpjpe": NaN,
-    "pck@10": 5.6790124349020145e-05,
-    "pck@20": 0.0007876543271596785,
-    "pck@30": 0.007780246982971827,
-    "pck@40": 0.05529259262923841,
-    "pck@50": 0.1542370371548114,
-    "wall_seconds": 118.03756999969482
-  },
-  "test_drop_last": {
-    "samples": 53952,
-    "mpjpe": NaN,
-    "pck@10": 5.6840649370682976e-05,
-    "pck@20": 0.0007883550872372227,
-    "pck@30": 0.007787168910892621,
-    "pck@40": 0.055318307667895535,
-    "pck@50": 0.15425316342412276,
-    "wall_seconds": 120.87458372116089
-  }
-}

benchmarks/wiflow-std/static_ptq_bench.py

@@ -1,333 +0,0 @@
-"""ADR-152 edge optimization follow-up: ONNX Runtime STATIC post-training
-quantization (calibration-based QDQ) of the retrained WiFlow-STD model, to
-improve on the dynamic-int8 result (2.44 MB, PCK@20 96.52%, 6.5 ms/win b1).
-
-Static PTQ pre-computes activation ranges from calibration data, so inference
-uses QLinearConv/QDQ kernels instead of dynamic ConvInteger -- typically both
-faster and (with good calibration) closer to fp32 accuracy.
-
-Method:
-  - Calibration set: corruption-free windows drawn ONLY from the seed-42
-    file-level TRAINING split (same split as eval_repro.py; corrupted windows
-    excluded via results/nan_windows_mask.npy | big_windows_mask.npy), chosen
-    with np.random.default_rng(42). Never test windows.
-  - quantize_static, QuantFormat.QDQ, per-channel int8 weights, int8
-    activations; calibration methods MinMax / Entropy / Percentile(99.99);
-    scopes "all" (ORT default op set) vs "conv" (op_types_to_quantize=
-    ["Conv"] -- leaves the attention path, which exports as Einsum/Softmax
-    and elementwise ops, in fp32).
-  - Model is pre-processed first (quant_pre_process: symbolic shape
-    inference + ORT graph optimization, folds BatchNormalization into Conv).
-  - Accuracy: identical protocol to eval_ort_accuracy.py -- the 10,000-window
-    seed-42 subset of the corruption-free test split (PCK@20/50, MPJPE).
-  - Latency: median ms/window at batch 1 (100 runs) and batch 64 (30 runs),
-    3 interleaved repetitions across all variants (fp32 and dynamic-int8
-    sessions included as same-session reference points).
-
-Usage:
-  PYTHONUTF8=1 .venv/Scripts/python.exe static_ptq_bench.py \
-      [--data-dir <preprocessed_csi_data>] [--subset 10000]
-      [--calib-minmax 1000] [--calib-hist 512] [--skip-accuracy]
-
-Writes/merges into results/edge_optimization.json under key "onnx_static_ptq".
-"""
-
-import argparse
-import collections
-import json
-import os
-import platform
-import statistics
-import sys
-import time
-
-import numpy as np
-import torch
-
-HERE = os.path.dirname(os.path.abspath(__file__))
-sys.path.insert(0, HERE)
-
-from _bench_common import RESULTS  # noqa: E402
-# quantize_bench sets up upstream imports + the np.load mmap patch
-# (both via _bench_common.import_upstream)
-from quantize_bench import build_test_subset  # noqa: E402
-import quantize_bench as qb  # noqa: E402
-from eval_ort_accuracy import evaluate_ort  # noqa: E402
-
-FP32_ONNX = os.path.join(RESULTS, "retrained_fp32_dynamic.onnx")
-DYN_INT8_ONNX = os.path.join(RESULTS, "retrained_int8_ort_dynamic.onnx")
-PREPROC_ONNX = os.path.join(RESULTS, "retrained_fp32_preproc.onnx")
-
-
-# ---------------------------------------------------------------------------
-# calibration data: corruption-free TRAINING-split windows only
-# ---------------------------------------------------------------------------
-
-def build_calibration_windows(data_dir, n_windows):
-    """Seed-42 file-level 70/15/15 TRAIN split (exactly as eval_repro.py),
-    minus corrupted windows, then a seed-42 random draw of n_windows."""
-    dataset = qb.PreprocessedCSIKeypointsDataset(
-        data_dir=data_dir, keypoint_scale=1000.0, enable_temporal_clean=True)
-    train_loader, _va, _te = qb.create_preprocessed_train_val_test_loaders(
-        dataset=dataset, batch_size=64, num_workers=0, random_seed=42)
-    train_indices = np.asarray(train_loader.dataset.indices)
-
-    corrupted = (np.load(os.path.join(RESULTS, "nan_windows_mask.npy"))
-                 | np.load(os.path.join(RESULTS, "big_windows_mask.npy")))
-    clean = train_indices[~corrupted[train_indices]]
-    print(f"train split: {len(train_indices)} windows, "
-          f"{len(train_indices) - len(clean)} corrupted excluded, "
-          f"{len(clean)} clean")
-
-    rng = np.random.default_rng(42)
-    sel = np.sort(rng.choice(clean, size=n_windows, replace=False))
-    xs = np.stack([dataset[int(i)][0].numpy() for i in sel]).astype(np.float32)
-    print(f"calibration tensor: {xs.shape} from {n_windows} clean TRAIN windows")
-    return xs
-
-
-def make_reader(windows, batch_size=64):
-    from onnxruntime.quantization import CalibrationDataReader
-
-    class WindowReader(CalibrationDataReader):
-        def __init__(self):
-            self._batches = [windows[i:i + batch_size]
-                             for i in range(0, len(windows), batch_size)]
-            self._it = iter(self._batches)
-
-        def get_next(self):
-            b = next(self._it, None)
-            return None if b is None else {"input": b}
-
-        def rewind(self):
-            self._it = iter(self._batches)
-
-        def __len__(self):
-            return len(self._batches)
-
-    return WindowReader()
-
-
-# ---------------------------------------------------------------------------
-# quantization variants
-# ---------------------------------------------------------------------------
-
-def preprocess_model():
-    from onnxruntime.quantization.shape_inference import quant_pre_process
-    quant_pre_process(FP32_ONNX, PREPROC_ONNX)
-    return PREPROC_ONNX
-
-
-def quantize_variant(src, dst, method, scope, calib_windows):
-    from onnxruntime.quantization import (CalibrationMethod, QuantFormat,
-                                          QuantType, quantize_static)
-    methods = {
-        "minmax": CalibrationMethod.MinMax,
-        "entropy": CalibrationMethod.Entropy,
-        "percentile": CalibrationMethod.Percentile,
-    }
-    # NB: do NOT pass CalibMaxIntermediateOutputs -- in ORT 1.26 the MinMax
-    # calibrater clears its buffer every N batches and then raises
-    # "No data is collected" if the batch count is divisible by N.
-    extra = {}
-    if method == "percentile":
-        extra["CalibPercentile"] = 99.99
-    op_types = ["Conv"] if scope == "conv" else None
-
-    t0 = time.time()
-    quantize_static(
-        src, dst, make_reader(calib_windows),
-        quant_format=QuantFormat.QDQ,
-        op_types_to_quantize=op_types,
-        per_channel=True,
-        activation_type=QuantType.QInt8,
-        weight_type=QuantType.QInt8,
-        calibrate_method=methods[method],
-        extra_options=extra,
-    )
-    secs = time.time() - t0
-
-    import onnx
-    ops = collections.Counter(n.op_type for n in onnx.load(dst).graph.node)
-    return {
-        "file": os.path.basename(dst),
-        "size_bytes": os.path.getsize(dst),
-        "size_mb": os.path.getsize(dst) / 1e6,
-        "calibration": {"method": method,
-                        "windows": int(len(calib_windows)),
-                        "percentile": extra.get("CalibPercentile"),
-                        "seconds": secs},
-        "scope": scope,
-        "per_channel": True,
-        "activation_type": "QInt8",
-        "weight_type": "QInt8",
-        "node_counts": {k: v for k, v in sorted(ops.items())},
-    }
-
-
-# ---------------------------------------------------------------------------
-# latency (3 interleaved reps, like the latency_controlled_rerun)
-# ---------------------------------------------------------------------------
-
-def ort_session(path):
-    import onnxruntime as ort
-    return ort.InferenceSession(path, providers=["CPUExecutionProvider"])
-
-
-def bench_ort(sess, batch, n_runs):
-    rng = np.random.default_rng(123)
-    x = rng.random((batch, 540, 20), dtype=np.float32)
-    inp = sess.get_inputs()[0].name
-    for _ in range(max(5, n_runs // 10)):
-        sess.run(None, {inp: x})
-    times = []
-    for _ in range(n_runs):
-        t0 = time.perf_counter()
-        sess.run(None, {inp: x})
-        times.append(time.perf_counter() - t0)
-    return statistics.median(times) * 1e3 / batch  # ms/window
-
-
-def interleaved_latency(sessions, reps=3, runs_b1=100, runs_b64=30):
-    lat = {name: {"batch1_reps": [], "batch64_reps": []} for name in sessions}
-    for rep in range(reps):
-        for name, sess in sessions.items():
-            lat[name]["batch1_reps"].append(bench_ort(sess, 1, runs_b1))
-            lat[name]["batch64_reps"].append(bench_ort(sess, 64, runs_b64))
-            print(f"  rep {rep + 1}/{reps} {name}: "
-                  f"b1={lat[name]['batch1_reps'][-1]:.2f} "
-                  f"b64={lat[name]['batch64_reps'][-1]:.3f} ms/win", flush=True)
-    for name in lat:
-        lat[name]["batch1_ms_per_window_median"] = statistics.median(
-            lat[name]["batch1_reps"])
-        lat[name]["batch64_ms_per_window_median"] = statistics.median(
-            lat[name]["batch64_reps"])
-    return lat
-
-
-# ---------------------------------------------------------------------------
-
-def main():
-    import onnxruntime
-    parser = argparse.ArgumentParser()
-    parser.add_argument("--data-dir", default=os.path.join(
-        os.path.expanduser("~"), ".cache", "kagglehub", "datasets", "kaka2434",
-        "wiflow-dataset", "versions", "1", "preprocessed_csi_data"))
-    parser.add_argument("--subset", type=int, default=10000)
-    parser.add_argument("--calib-minmax", type=int, default=1000)
-    parser.add_argument("--calib-hist", type=int, default=512,
-                        help="calibration windows for Entropy/Percentile "
-                             "(histogram calibraters hold all intermediate "
-                             "activations in RAM)")
-    parser.add_argument("--skip-accuracy", action="store_true")
-    parser.add_argument("--methods", default="minmax,entropy,percentile",
-                        help="comma list of calibration methods to (re)run; "
-                             "results merge into existing onnx_static_ptq")
-    parser.add_argument("--out", default=os.path.join(RESULTS, "edge_optimization.json"))
-    args = parser.parse_args()
-
-    results = {
-        "env": {
-            "onnxruntime": onnxruntime.__version__,
-            "torch": torch.__version__,
-            "platform": platform.platform(),
-            "source_model": os.path.basename(FP32_ONNX),
-        },
-        "variants": {},
-    }
-
-    # ---- calibration data (TRAIN split only) -------------------------------
-    calib_mm = build_calibration_windows(args.data_dir, args.calib_minmax)
-    calib_hist = calib_mm[:args.calib_hist]
-
-    # ---- preprocess + quantize ---------------------------------------------
-    print("\n=== quant_pre_process (shape inference + graph optimization) ===")
-    src = preprocess_model()
-    results["env"]["preprocessed_model"] = {
-        "file": os.path.basename(src),
-        "size_mb": os.path.getsize(src) / 1e6,
-    }
-
-    matrix = [(m, s) for m in args.methods.split(",")
-              for s in ("all", "conv")]
-    for method, scope in matrix:
-        name = f"{method}_{scope}"
-        dst = os.path.join(RESULTS, f"retrained_int8_static_{name}.onnx")
-        calib = calib_mm if method == "minmax" else calib_hist
-        print(f"\n=== quantize_static: {name} "
-              f"({len(calib)} calib windows) ===", flush=True)
-        try:
-            results["variants"][name] = quantize_variant(
-                src, dst, method, scope, calib)
-            print(f"  {results['variants'][name]['size_mb']:.3f} MB")
-        except Exception as e:  # noqa: BLE001
-            results["variants"][name] = {"error": f"{type(e).__name__}: {e}"}
-            print(f"  FAILED: {e}")
-
-    # ---- fixture parity (sanity, batch 2) ----------------------------------
-    fixture = np.load(os.path.join(RESULTS, "parity_fixture.npz"))
-    fx, fy = fixture["input"], fixture["output"]
-    sessions = {}
-    for name, info in results["variants"].items():
-        if "error" in info:
-            continue
-        path = os.path.join(RESULTS, info["file"])
-        try:
-            sess = ort_session(path)
-            yq = sess.run(None, {sess.get_inputs()[0].name: fx})[0]
-            info["max_abs_diff_vs_fp32_fixture"] = float(np.abs(yq - fy).max())
-            sessions[name] = sess
-        except Exception as e:  # noqa: BLE001
-            info["run_error"] = f"{type(e).__name__}: {e}"
-    print("\nfixture max-abs-diff vs fp32:",
-          {n: round(results["variants"][n].get("max_abs_diff_vs_fp32_fixture",
-                                               float("nan")), 5)
-           for n in results["variants"]})
-
-    # ---- latency: 3 interleaved reps incl. fp32 + dynamic-int8 reference ----
-    print("\n=== latency (3 interleaved reps) ===")
-    lat_sessions = {"onnx_fp32": ort_session(FP32_ONNX),
-                    "onnx_int8_ort_dynamic": ort_session(DYN_INT8_ONNX)}
-    lat_sessions.update(sessions)
-    results["latency"] = {
-        "note": "3 interleaved repetitions per variant, median ms/window; "
-                "onnx_fp32 / onnx_int8_ort_dynamic are same-session references",
-        **interleaved_latency(lat_sessions),
-    }
-
-    # ---- accuracy on the standard 10k corruption-free test subset ----------
-    if not args.skip_accuracy:
-        loader, n_clean = build_test_subset(args.data_dir, args.subset)
-        results["accuracy_subset"] = {
-            "description": "seed-42 file-level 70/15/15 test split, corrupted "
-                           "windows excluded, seed-42 random subset (same as "
-                           "quantize_bench/eval_ort_accuracy)",
-            "subset_size": min(args.subset, n_clean) if args.subset else n_clean,
-        }
-        for name, sess in sessions.items():
-            print(f"\n=== accuracy: {name} ===")
-            results["variants"][name]["accuracy"] = evaluate_ort(
-                sess, loader, name)
-            print(json.dumps(results["variants"][name]["accuracy"], indent=2))
-
-    # ---- merge into edge_optimization.json ----------------------------------
-    merged = {}
-    if os.path.exists(args.out):
-        with open(args.out) as f:
-            merged = json.load(f)
-    prev = merged.get("onnx_static_ptq")
-    if prev:  # nested merge so partial --methods reruns don't clobber
-        prev["env"] = results["env"]
-        prev["variants"].update(results["variants"])
-        prev.setdefault("latency", {}).update(results["latency"])
-        if "accuracy_subset" in results:
-            prev["accuracy_subset"] = results["accuracy_subset"]
-    else:
-        merged["onnx_static_ptq"] = results
-    with open(args.out, "w") as f:
-        json.dump(merged, f, indent=2)
-    print(f"\nwrote {args.out}")
-
-
-if __name__ == "__main__":
-    main()

benchmarks/wiflow-std/tiny_edge_bench.py

@@ -1,313 +0,0 @@
-"""ADR-152 efficiency-sweep follow-up: edge pipeline for the TINY compact
-WiFlow-STD variant (56,290 params, results/tiny_best.pth, trained overnight
-2026-06-10/11 -- see RESULTS.md "Efficiency sweep").
-
-Headline question: what does the smallest deployable WiFlow-class model look
-like (KB + ms + PCK)? Reuses the onnx_bench.py / static_ptq_bench.py
-machinery on the tiny checkpoint:
-
-  1. Load tiny_best.pth with remote/sweep/model_compact.py
-     (depthwise TCN groups, input_pw_groups=4, conv [2,4,8,16], attn groups 2).
-  2. Export ONNX: dynamic batch, opset 17, TorchScript exporter (dynamo=False)
-     -- same recipe that worked for the full model; verified at batch 1/2/64.
-     One forced deviation: tiny's stride schedule [2,1,1,1] leaves final_width
-     16, and the TorchScript exporter cannot export AdaptiveAvgPool2d((15,1))
-     when 15 is not a factor of the input height (the full model never hit
-     this -- its width was exactly 15). The adaptive pool over a fixed-size
-     feature map is a fixed linear map, so the export wrapper replaces it with
-     an exact matmul equivalent (PyTorch adaptive-pool bin semantics:
-     bin i averages rows floor(i*H/K)..ceil((i+1)*H/K)); the W axis (20->1,
-     a factor) becomes mean(-1). Exactness is proven by the parity check
-     below, which compares against the ORIGINAL torch model with the real
-     AdaptiveAvgPool2d.
-  3. Torch-vs-ORT parity on the stored fixture input
-     (results/parity_fixture.npz, batch 2, seed 42 -- same 540x20 input layout;
-     reference output recomputed with the tiny torch model). PASS < 1e-4.
-  4. Static QDQ conv-only int8 (quant_pre_process + quantize_static,
-     per-channel QInt8 weights+activations, Percentile(99.99) calibration on
-     512 corruption-free TRAIN-split windows -- the winning recipe and
-     calibration count from static_ptq_bench.py. 512, not "about 500":
-     ORT 1.26's histogram collector np.asarray()'s the per-batch maxima, so
-     the calibration count must be a multiple of the batch size 64 or the
-     ragged last batch crashes it).
-  5. Disk size + CPU latency b1/b64 (3 interleaved reps, median ms/window)
-     for tiny fp32 + tiny int8, with the full-model ONNX fp32 + static-int8
-     sessions interleaved as same-session references.
-  6. Accuracy (PCK@20/50 + MPJPE) on the identical 10k-window seed-42
-     corruption-free test subset for tiny fp32 + tiny int8.
-
-Usage:
-  PYTHONUTF8=1 .venv/Scripts/python.exe tiny_edge_bench.py \
-      [--data-dir <preprocessed_csi_data>] [--subset 10000] [--calib 512]
-  (--calib must be a multiple of 64; see step 4 above)
-
-Writes/merges into results/edge_optimization.json under key "tiny_variant".
-"""
-
-import argparse
-import json
-import os
-import platform
-import sys
-import time
-
-import numpy as np
-import torch
-
-HERE = os.path.dirname(os.path.abspath(__file__))
-RESULTS = os.path.join(HERE, "results")
-sys.path.insert(0, HERE)
-sys.path.insert(0, os.path.join(HERE, "remote", "sweep"))
-
-# quantize_bench sets up upstream imports + the np.load mmap patch
-from quantize_bench import build_test_subset  # noqa: E402
-from eval_ort_accuracy import evaluate_ort  # noqa: E402
-from static_ptq_bench import (  # noqa: E402
-    build_calibration_windows,
-    interleaved_latency,
-    make_reader,
-    ort_session,
-)
-from model_compact import CompactWiFlowPoseModel, describe  # noqa: E402
-
-TINY_CKPT = os.path.join(RESULTS, "tiny_best.pth")
-TINY_FP32_ONNX = os.path.join(RESULTS, "tiny_fp32_dynamic.onnx")
-TINY_PREPROC_ONNX = os.path.join(RESULTS, "tiny_fp32_preproc.onnx")
-TINY_INT8_ONNX = os.path.join(RESULTS, "tiny_int8_static_percentile_conv.onnx")
-FULL_FP32_ONNX = os.path.join(RESULTS, "retrained_fp32_dynamic.onnx")
-FULL_INT8_ONNX = os.path.join(RESULTS, "retrained_int8_static_percentile_conv.onnx")
-
-# Exact tiny config from remote/sweep/run_sweep.py VARIANTS (measured 56,290
-# params, clean-test PCK@20 94.11% -- results/efficiency_sweep.jsonl).
-TINY = dict(tcn=[68, 56, 44, 32], conv=[2, 4, 8, 16], attn_groups=2,
-            groups_mode="depthwise", input_pw_groups=4)
-
-
-def load_tiny_model():
-    model = CompactWiFlowPoseModel(
-        tcn_channels=TINY["tcn"], conv_channels=TINY["conv"],
-        attn_groups=TINY["attn_groups"], groups_mode=TINY["groups_mode"],
-        input_pw_groups=TINY["input_pw_groups"], dropout=0.5)
-    state = torch.load(TINY_CKPT, map_location="cpu", weights_only=True)
-    model.load_state_dict(state, strict=True)
-    model.eval()
-    return model
-
-
-def adaptive_pool_matrix(h_in, h_out):
-    """Exact AdaptiveAvgPool1d as a (h_out, h_in) averaging matrix, using
-    PyTorch's bin rule: bin i covers rows floor(i*h_in/h_out) ..
-    ceil((i+1)*h_in/h_out)."""
-    w = torch.zeros(h_out, h_in)
-    for i in range(h_out):
-        s = (i * h_in) // h_out
-        e = -((-(i + 1) * h_in) // h_out)  # ceil division
-        w[i, s:e] = 1.0 / (e - s)
-    return w
-
-
-class ExportWrapper(torch.nn.Module):
-    """CompactWiFlowPoseModel forward with the AdaptiveAvgPool2d((K,1))
-    replaced by an exact fixed linear map (mean over the factor W axis, then
-    a constant averaging matmul over the non-factor H axis) so the
-    TorchScript ONNX exporter accepts it. Bit-equivalent up to float
-    round-off; proven by the parity check against the original model."""
-
-    def __init__(self, m, num_keypoints=15):
-        super().__init__()
-        self.m = m
-        self.register_buffer(
-            "pool_w_t", adaptive_pool_matrix(m.final_width, num_keypoints).t())
-
-    def forward(self, x):
-        m = self.m
-        x = m.tcn(x)
-        x = x.transpose(1, 2).unsqueeze(1)
-        x = m.up(x)
-        for block in m.residual_blocks:
-            x = block(x)
-        x = x.permute(0, 1, 3, 2)
-        x = m.attention(x)
-        x = m.decoder(x)                  # [B, 2, H=final_width, T=20]
-        x = x.mean(-1)                    # W-axis pool (20 -> 1, a factor)
-        x = x.matmul(self.pool_w_t)       # exact adaptive H pool: [B, 2, K]
-        return x.transpose(1, 2)          # [B, K, 2]
-
-
-def export_onnx(model):
-    """Dynamic-batch TorchScript export (the recipe that worked for the full
-    model in onnx_bench.py), verified at batch 1/2/64. Uses ExportWrapper
-    (see docstring) because final_width 16 is not a multiple of 15."""
-    wrapper = ExportWrapper(model).eval()
-    x = torch.rand(2, 540, 20)
-    with torch.no_grad():
-        torch.onnx.export(
-            wrapper, (x,), TINY_FP32_ONNX, opset_version=17,
-            input_names=["input"], output_names=["output"], dynamo=False,
-            dynamic_axes={"input": {0: "batch"}, "output": {0: "batch"}})
-    sess = ort_session(TINY_FP32_ONNX)
-    inp = sess.get_inputs()[0].name
-    for b in (1, 2, 64):
-        y = sess.run(None, {inp: np.zeros((b, 540, 20), dtype=np.float32)})[0]
-        assert y.shape == (b, 15, 2), y.shape
-    return {
-        "mode": "dynamic-batch", "exporter": "torchscript", "opset": 17,
-        "file": os.path.basename(TINY_FP32_ONNX),
-        "size_bytes": os.path.getsize(TINY_FP32_ONNX),
-        "size_mb": os.path.getsize(TINY_FP32_ONNX) / 1e6,
-        "verified_batches": [1, 2, 64],
-        "note": "AdaptiveAvgPool2d((15,1)) replaced at export by an exact "
-                "mean(-1) + constant averaging matmul (final_width 16 is not "
-                "a multiple of 15, which the TorchScript exporter rejects); "
-                "exactness proven by the parity check vs the original torch "
-                "model",
-    }
-
-
-def quantize_tiny(calib_windows):
-    """quant_pre_process + static QDQ conv-only Percentile(99.99) int8 --
-    the winning recipe from static_ptq_bench.py."""
-    from onnxruntime.quantization import (CalibrationMethod, QuantFormat,
-                                          QuantType, quantize_static)
-    from onnxruntime.quantization.shape_inference import quant_pre_process
-
-    quant_pre_process(TINY_FP32_ONNX, TINY_PREPROC_ONNX)
-    t0 = time.time()
-    quantize_static(
-        TINY_PREPROC_ONNX, TINY_INT8_ONNX, make_reader(calib_windows),
-        quant_format=QuantFormat.QDQ,
-        op_types_to_quantize=["Conv"],
-        per_channel=True,
-        activation_type=QuantType.QInt8,
-        weight_type=QuantType.QInt8,
-        calibrate_method=CalibrationMethod.Percentile,
-        extra_options={"CalibPercentile": 99.99},
-    )
-    return {
-        "file": os.path.basename(TINY_INT8_ONNX),
-        "size_bytes": os.path.getsize(TINY_INT8_ONNX),
-        "size_mb": os.path.getsize(TINY_INT8_ONNX) / 1e6,
-        "calibration": {"method": "percentile", "percentile": 99.99,
-                        "windows": int(len(calib_windows)),
-                        "scope": "conv-only TRAIN-split corruption-free",
-                        "seconds": time.time() - t0},
-        "per_channel": True,
-        "activation_type": "QInt8",
-        "weight_type": "QInt8",
-    }
-
-
-def main():
-    import onnxruntime
-    parser = argparse.ArgumentParser()
-    parser.add_argument("--data-dir", default=os.path.join(
-        os.path.expanduser("~"), ".cache", "kagglehub", "datasets", "kaka2434",
-        "wiflow-dataset", "versions", "1", "preprocessed_csi_data"))
-    parser.add_argument("--subset", type=int, default=10000)
-    parser.add_argument("--calib", type=int, default=512,
-                        help="calibration windows; must be a multiple of the "
-                             "64-window calibration batch (ORT histogram "
-                             "collector rejects ragged batches)")
-    parser.add_argument("--skip-accuracy", action="store_true")
-    parser.add_argument("--out", default=os.path.join(RESULTS, "edge_optimization.json"))
-    args = parser.parse_args()
-
-    if args.calib % 64 != 0:
-        parser.error(
-            f"--calib must be a multiple of 64 (got {args.calib}): ORT 1.26's "
-            f"histogram calibration collector np.asarray()'s the per-batch "
-            f"maxima and crashes on a ragged final batch (calibration batch "
-            f"size is 64)")
-
-    model = load_tiny_model()
-    info = describe(model)
-    print(f"tiny model: {info['params']:,} params, tcn_groups={info['tcn_groups_per_block']}, "
-          f"strides={info['conv_strides']}, final_width={info['final_width']}")
-    assert info["params"] == 56290, info["params"]
-
-    results = {
-        "env": {
-            "torch": torch.__version__,
-            "onnxruntime": onnxruntime.__version__,
-            "platform": platform.platform(),
-            "num_threads": torch.get_num_threads(),
-            "checkpoint": os.path.relpath(TINY_CKPT, HERE),
-            "checkpoint_size_bytes": os.path.getsize(TINY_CKPT),
-            "params": info["params"],
-            "variant_config": TINY,
-        },
-    }
-
-    # ---- export + parity ----------------------------------------------------
-    print("\n=== ONNX export (dynamic batch, opset 17, torchscript) ===")
-    results["export"] = export_onnx(model)
-    print(f"  {results['export']['size_mb']:.3f} MB, batches {results['export']['verified_batches']} OK")
-
-    fixture = np.load(os.path.join(RESULTS, "parity_fixture.npz"))
-    fx = fixture["input"]  # (2, 540, 20), seed 42 -- same input layout as full model
-    sess_fp32 = ort_session(TINY_FP32_ONNX)
-    y_ort = sess_fp32.run(None, {sess_fp32.get_inputs()[0].name: fx})[0]
-    with torch.no_grad():
-        y_torch = model(torch.from_numpy(fx)).numpy()
-    results["parity"] = {
-        "fixture": "results/parity_fixture.npz input (batch 2, seed 42); "
-                   "reference output recomputed with the tiny torch model",
-        "max_abs_diff_vs_torch": float(np.abs(y_ort - y_torch).max()),
-        "pass_lt_1e-4": bool(np.abs(y_ort - y_torch).max() < 1e-4),
-    }
-    print("parity:", json.dumps(results["parity"], indent=2))
-    assert results["parity"]["pass_lt_1e-4"], "torch-vs-ORT parity FAILED"
-
-    # ---- static PTQ int8 ------------------------------------------------------
-    print(f"\n=== static QDQ int8 (Percentile conv-only, {args.calib} calib windows) ===")
-    calib = build_calibration_windows(args.data_dir, args.calib)
-    results["int8_static_percentile_conv"] = quantize_tiny(calib)
-    print(f"  {results['int8_static_percentile_conv']['size_mb']:.3f} MB")
-    sess_int8 = ort_session(TINY_INT8_ONNX)
-    yq = sess_int8.run(None, {sess_int8.get_inputs()[0].name: fx})[0]
-    results["int8_static_percentile_conv"]["max_abs_diff_vs_fp32_fixture"] = float(
-        np.abs(yq - y_torch).max())
-
-    # ---- latency (3 interleaved reps, full-model sessions as references) -----
-    print("\n=== latency (3 interleaved reps) ===")
-    lat_sessions = {
-        "tiny_onnx_fp32": sess_fp32,
-        "tiny_onnx_int8_static_percentile_conv": sess_int8,
-        "full_onnx_fp32_reference": ort_session(FULL_FP32_ONNX),
-        "full_onnx_int8_static_percentile_conv_reference": ort_session(FULL_INT8_ONNX),
-    }
-    results["latency"] = {
-        "note": "3 interleaved repetitions per variant, median ms/window; "
-                "full-model sessions are same-session references",
-        **interleaved_latency(lat_sessions),
-    }
-
-    # ---- accuracy on the standard 10k corruption-free test subset ------------
-    if not args.skip_accuracy:
-        loader, n_clean = build_test_subset(args.data_dir, args.subset)
-        results["accuracy_subset"] = {
-            "description": "seed-42 file-level 70/15/15 test split, corrupted "
-                           "windows excluded, seed-42 random subset (same as "
-                           "quantize_bench/eval_ort_accuracy/static_ptq_bench)",
-            "subset_size": min(args.subset, n_clean) if args.subset else n_clean,
-        }
-        results["accuracy"] = {}
-        for name, sess in (("tiny_onnx_fp32", sess_fp32),
-                           ("tiny_onnx_int8_static_percentile_conv", sess_int8)):
-            print(f"\n=== accuracy: {name} ===")
-            results["accuracy"][name] = evaluate_ort(sess, loader, name)
-            print(json.dumps(results["accuracy"][name], indent=2))
-
-    # ---- merge into edge_optimization.json -----------------------------------
-    merged = {}
-    if os.path.exists(args.out):
-        with open(args.out) as f:
-            merged = json.load(f)
-    merged["tiny_variant"] = results
-    with open(args.out, "w") as f:
-        json.dump(merged, f, indent=2)
-    print(f"\nwrote {args.out}")
-
-
-if __name__ == "__main__":
-    main()

docker/Dockerfile.rust

@@ -3,7 +3,7 @@
 # Multi-stage build for minimal final image
 
 # Stage 1: Build
-FROM rust:1.89-bookworm AS builder
+FROM rust:1.85-bookworm AS builder
 
 WORKDIR /build
 
@@ -14,18 +14,9 @@ COPY v2/crates/ ./crates/
 # Copy vendored RuVector crates
 COPY vendor/ruvector/ /build/vendor/ruvector/
 
-# Build release binaries:
-#   - sensing-server with `mqtt` feature so the HA-DISCO MQTT publisher
-#     (ADR-115) is wired in (auto-discovery topics flow to Home Assistant)
-#   - cog-ha-matter, the ADR-116 Cognitum cog that wraps HA-DISCO +
-#     HA-MIND + mDNS + embedded broker for Home Assistant / Matter
-#   - homecore-server, the ADRs-126-134 HOMECORE native Rust port of
-#     Home Assistant (HA-wire-compat REST + WebSocket on :8123,
-#     SQLite + ruvector recorder, automation, assist, plugins, HAP)
-RUN cargo build --release -p wifi-densepose-sensing-server --features mqtt 2>&1 \
- && cargo build --release -p cog-ha-matter 2>&1 \
- && cargo build --release -p homecore-server 2>&1 \
- && strip target/release/sensing-server target/release/cog-ha-matter target/release/homecore-server
+# Build release binary
+RUN cargo build --release -p wifi-densepose-sensing-server 2>&1 \
+    && strip target/release/sensing-server
 
 # Stage 2: Runtime
 FROM debian:bookworm-slim
@@ -36,10 +27,8 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
 
 WORKDIR /app
 
-# Copy binaries
+# Copy binary
 COPY --from=builder /build/target/release/sensing-server /app/sensing-server
-COPY --from=builder /build/target/release/cog-ha-matter /app/cog-ha-matter
-COPY --from=builder /build/target/release/homecore-server /app/homecore-server
 
 # Copy UI assets
 COPY ui/ /app/ui/
@@ -56,8 +45,6 @@ RUN set -e; \
         test -d "$d" || { echo "FATAL: missing UI directory $d"; exit 1; }; \
     done; \
     test -x /app/sensing-server || { echo "FATAL: /app/sensing-server is not executable"; exit 1; }; \
-    test -x /app/cog-ha-matter || { echo "FATAL: /app/cog-ha-matter is not executable"; exit 1; }; \
-    test -x /app/homecore-server || { echo "FATAL: /app/homecore-server is not executable"; exit 1; }; \
     echo "image assets OK"
 
 # Optional bearer-token auth on /api/v1/*: leave unset for LAN-mode (default),
@@ -71,10 +58,6 @@ EXPOSE 3000
 EXPOSE 3001
 # ESP32 UDP
 EXPOSE 5005/udp
-# MQTT broker (cog-ha-matter embedded broker — Home Assistant + Matter)
-EXPOSE 1883
-# HOMECORE HA-compatible REST + WebSocket (homecore-server)
-EXPOSE 8123
 
 ENV RUST_LOG=info
 

docker/docker-compose.yml

@@ -24,13 +24,10 @@ services:
     environment:
       - RUST_LOG=info
       # CSI_SOURCE controls the data source for the sensing server.
-      # Options: auto (default) — probe for ESP32 UDP then host WiFi; **fail
-      #                           hard with exit 78 if neither is detected**.
-      #                           Synthetic data is no longer a silent fallback
-      #                           (issue #937 fix) — operators must opt in.
+      # Options: auto (default) — probe for ESP32 UDP then fall back to simulation
       #          esp32          — receive real CSI frames from an ESP32 on UDP port 5005
       #          wifi           — use host Wi-Fi RSSI/scan data (Windows netsh)
-      #          simulated      — explicitly generate synthetic CSI for demo mode
+      #          simulated      — generate synthetic CSI data (no hardware required)
       - CSI_SOURCE=${CSI_SOURCE:-auto}
       # MODELS_DIR controls where the server scans for .rvf model files.
       # Mount a host directory and set this to make models visible:

docker/docker-entrypoint.sh

@@ -11,88 +11,10 @@
 #      docker run ruvnet/wifi-densepose:latest --model /app/models/my.rvf
 #
 # Environment variables:
-#   CSI_SOURCE   — data source. Valid values:
-#                    auto       — try ESP32 then Windows WiFi, **fail-loud if no
-#                                 real hardware is detected** (issue #937 fix:
-#                                 the server no longer silently falls back to
-#                                 synthetic data — that's now opt-in only).
-#                    esp32      — listen for UDP CSI on the configured port.
-#                    wifi       — Windows-native WiFi capture.
-#                    simulated  — explicit demo mode with synthetic CSI.
-#                  Default is `auto`. Set CSI_SOURCE=simulated when you want
-#                  fake data tagged as such; never set it implicitly.
+#   CSI_SOURCE   — data source: auto (default), esp32, wifi, simulated
 #   MODELS_DIR   — directory to scan for .rvf model files (default: data/models)
 set -e
 
-# ── Issue #864: fail-closed on default posture ───────────────────────────────
-# The pre-fix default was: empty RUVIEW_API_TOKEN (auth off) + --bind-addr
-# 0.0.0.0 + docker-compose publishing :3000/:3001/:5005 → an unauthenticated
-# attacker on any reachable network segment could read /api/v1/sensing/latest
-# and the /ws/sensing live stream. That posture is unsafe on guest WiFi,
-# untrusted LANs, accidentally-port-forwarded hosts, or any reverse-proxied
-# deployment. Refuse to start with this combination.
-#
-# Escape hatches (operator must opt in explicitly):
-#   * Set RUVIEW_API_TOKEN to a strong secret → auth enabled on /api/v1/*.
-#   * Set RUVIEW_ALLOW_UNAUTHENTICATED=1 → preserves the pre-fix behaviour;
-#     only safe on an isolated trust boundary.
-#   * Set RUVIEW_BIND_ADDR to a loopback / private interface → unauth is fine
-#     when the socket isn't reachable. The auto-bind nudges toward 127.0.0.1.
-#
-# This check runs only for the default sensing-server path (no args + flag-only
-# args). The `cog-ha-matter` / `homecore` routes below are excluded because
-# they own their own auth lifecycle.
-case "${1:-}" in
-    cog-ha-matter|ha-matter|homecore|homecore-server) ;;
-    *)
-        if [ -z "${RUVIEW_API_TOKEN:-}" ] && [ "${RUVIEW_ALLOW_UNAUTHENTICATED:-}" != "1" ]; then
-            # If the operator hasn't overridden the bind, refuse outright on
-            # the default 0.0.0.0. If they've nailed it to loopback (or a
-            # specific private address they trust), let it run.
-            __bind_default="${RUVIEW_BIND_ADDR:-0.0.0.0}"
-            case "$__bind_default" in
-                127.*|localhost|::1)
-                    : ;;  # loopback bind is safe even without a token
-                *)
-                    echo "[entrypoint] ERROR: refusing to start sensing-server with default" >&2
-                    echo "[entrypoint]        posture: RUVIEW_API_TOKEN is unset AND bind is" >&2
-                    echo "[entrypoint]        ${__bind_default}. /ws/sensing streams live sensing" >&2
-                    echo "[entrypoint]        frames; that data would be readable by anyone who" >&2
-                    echo "[entrypoint]        can reach this host. Pick one:" >&2
-                    echo "[entrypoint]          docker run -e RUVIEW_API_TOKEN=\$(openssl rand -hex 32) ..." >&2
-                    echo "[entrypoint]          docker run -e RUVIEW_BIND_ADDR=127.0.0.1 ..." >&2
-                    echo "[entrypoint]          docker run -e RUVIEW_ALLOW_UNAUTHENTICATED=1 ...   # only on trusted network" >&2
-                    echo "[entrypoint]        See https://github.com/ruvnet/RuView/issues/864" >&2
-                    exit 64
-                    ;;
-            esac
-        fi
-        ;;
-esac
-
-# Route to cog-ha-matter (ADR-116) when invoked as:
-#   docker run <image> cog-ha-matter [--flags]
-# or via the short alias `ha-matter`. Strips the keyword and execs the
-# Home Assistant + Matter cog binary, defaulting --sensing-url to the
-# co-located sensing-server endpoint so docker-compose deployments work
-# out of the box.
-case "${1:-}" in
-    cog-ha-matter|ha-matter)
-        shift
-        exec /app/cog-ha-matter \
-            --sensing-url "${SENSING_URL:-http://127.0.0.1:3000}" \
-            "$@"
-        ;;
-    homecore|homecore-server)
-        # Route to the HOMECORE native Rust port of Home Assistant
-        # (ADRs 126-134, v0.10.0). Default bind matches HA at :8123.
-        shift
-        exec /app/homecore-server \
-            --bind "${HOMECORE_BIND:-0.0.0.0:8123}" \
-            "$@"
-        ;;
-esac
-
 # If the first argument looks like a flag (starts with -), prepend the
 # server binary so users can just pass flags:
 #   docker run <image> --source esp32 --tick-ms 500
@@ -103,7 +25,7 @@ if [ "${1#-}" != "$1" ] || [ -z "$1" ]; then
         --ui-path /app/ui \
         --http-port 3000 \
         --ws-port 3001 \
-        --bind-addr "${RUVIEW_BIND_ADDR:-0.0.0.0}" \
+        --bind-addr 0.0.0.0 \
         "$@"
 fi
 

docs/RELEASE-streaming-engine-v0.3.0.md

@@ -1,117 +0,0 @@
-# RuView Streaming Engine v0.3.0 — Auditable Environmental Intelligence
-
-## What this is
-
-Most WiFi-sensing stacks emit a number and hope you trust it. **RuView's streaming
-engine is built so you don't have to.** Every conclusion it reaches — "someone is
-in the living room," "fall risk elevated," "the room layout changed" — carries a
-full evidence trail: which sensors saw it, how much they agreed, which calibration
-and model produced it, and what privacy policy it was emitted under.
-
-The throughline is **trust**. If you ask *"why should I believe this when it says a
-person fell?"*, the engine answers with signal evidence, sensor agreement,
-calibration provenance, and an auditable privacy posture — not just a confidence
-score.
-
-This release lands the ADR-135→146 series: the data contracts, the
-trust/privacy/audit machinery, and the algorithms — all real, tested, and
-composed into one end-to-end pipeline cycle.
-
-## The two layers that make it auditable
-
-- **WorldGraph (`wifi-densepose-worldgraph`)** — the *where & why* graph. A typed
-  graph of rooms, sensors, RF links, person tracks, object anchors, events, and
-  beliefs, connected by typed edges: `observes`, `located_in`, `derived_from`,
-  `contradicts`, `privacy_limited_by`. The privacy posture is *visible in the
-  persisted graph* — an auditor can read exactly what was suppressed and why.
-- **Trusted semantic records** — the *what we believe right now* record. Every
-  semantic state carries model version, calibration version, evidence refs,
-  confidence, expiry, and privacy action. High-stakes actions (caregiver
-  escalation) require **multi-signal agreement**, not a single noisy primitive.
-
-## What's new in v0.3.0
-
-| Area | Capability |
-|------|-----------|
-| Frame contracts (ADR-136) | `ComplexSample` (LE-canonical), provenance fields on every frame, `CanonicalFrame` BLAKE3 witness, `Stage`/`Versioned`/`QualityScored` traits |
-| Calibration (ADR-135) | `BaselineCalibration::apply()` stamps a deterministic `calibration_id` onto each frame |
-| Fusion quality (ADR-137) | `QualityScore` with per-node weights, evidence refs, and contradiction flags; calibration-mismatch detection |
-| Array coordination (ADR-138) | clock-quality + geometry gating; degraded nodes go "watch-only" |
-| WorldGraph (ADR-139) | the typed digital twin + privacy rollup + deterministic persistence |
-| Semantic records (ADR-140) | auditable state records + multi-signal agent routing |
-| Privacy control plane (ADR-141) | named modes + actions + a BLAKE3 hash-chained, tamper-evident attestation |
-| Evolution + VoxelMap (ADR-142) | cross-link "the room changed" detection + Bayesian occupancy, privacy-gated to a histogram |
-| RF-SLAM (ADR-143) | persistent reflector discovery → learned static anchors |
-| UWB fusion (ADR-144) | range-constraint refinement with outlier rejection (forward-looking) |
-| Ablation harness (ADR-145) | feature-matrix metrics incl. membership-inference privacy leakage |
-| RF encoder (ADR-146) | multi-task heads with per-head uncertainty + contrastive batcher (forward-looking) |
-| **Engine (`wifi-densepose-engine`)** | the composition root: one `process_cycle()` runs the whole trust pipeline |
-
-## Quick start
-
-```rust
-use wifi_densepose_engine::StreamingEngine;
-use wifi_densepose_bfld::PrivacyMode;
-use wifi_densepose_geo::types::GeoRegistration;
-use wifi_densepose_signal::ruvsense::fusion_quality::CalibrationId;
-
-// 1. Build the engine with a privacy posture + model version.
-let mut engine = StreamingEngine::new(PrivacyMode::PrivateHome, 1, GeoRegistration::default());
-
-// 2. Describe the space (rooms + sensors are WorldGraph nodes).
-let room = engine.add_room("living_room", "Living Room");
-let sensor = engine.add_sensor("esp32-com9", room);
-engine.register_node_geometry(0, 1.0, 0.0, 0.0);   // ADR-138 array geometry (optional)
-
-// 3. Each 50 ms cycle: feed per-node CSI frames + the calibration epoch.
-let out = engine.process_cycle(&node_frames, CalibrationId(0xABCD), room, now_ms)?;
-
-// 4. The result is a *trusted* belief — fully traceable.
-println!("class={:?} demoted={} evidence={:?}",
-         out.effective_class, out.demoted, out.provenance.evidence);
-assert_eq!(out.quality.calibration_id, Some(CalibrationId(0xABCD)));
-
-// 5. Persist the world model; reload reproduces the same query results.
-let snapshot = engine.snapshot_json()?;        // RVF payload — never raw RF frames
-```
-
-Per-node calibration (mismatch demotes privacy automatically):
-
-```rust
-let out = engine.process_cycle_calibrated(
-    &node_frames,
-    &[Some(CalibrationId(1)), Some(CalibrationId(2))], // disagree → CalibrationIdMismatch
-    room, now_ms)?;
-assert!(out.demoted);                          // privacy class demoted to Restricted
-assert_eq!(out.quality.calibration_id, None);  // no single calibration epoch
-```
-
-## Validated (acceptance tests that prove the architecture)
-
-- **ADR-137** `two calibrated frames → calibration mismatch → QualityScore contradiction → Restricted → calibration_id None → witness stable`
-- **ADR-139** `live_frame → fusion → worldgraph_update → privacy_rollup → persist → reload → same_contents` (no raw RF persisted)
-- **ADR-140** `raw snapshot → semantic primitive → SemanticStateRecord → agreement rule → expired record rejected`
-- **ADR-142** `3 links drift 30 frames → ChangePoint → VoxelMap accumulates → low-confidence suppressed → VoxelGate Restricted histogram → ADR-137 contradiction`
-
-## Performance & safety
-
-- **~6.35 µs per full cycle** (4 nodes / 56 subcarriers) — ~7,800× under the 50 ms / 20 Hz budget (criterion: `cargo bench -p wifi-densepose-engine`).
-- New crates are `#![forbid(unsafe_code)]`; no hardcoded secrets; input validated at boundaries; privacy demotion is monotonic; mode changes are hash-chain attested.
-- `wifi-densepose-core` and `wifi-densepose-bfld` build `#![no_std]` for the ESP32-S3 on-device path.
-
-## Build & test
-
-```bash
-cd v2
-cargo build --release --workspace --no-default-features    # optimized build
-cargo test --workspace --no-default-features                # full suite
-cargo test -p wifi-densepose-engine                         # 13 integration tests
-cargo bench -p wifi-densepose-engine                        # per-cycle latency
-```
-
-## Status (honest)
-
-Integrated and validated end-to-end: ADR-135/136/137/138/139/141/142/143 via the
-`wifi-densepose-engine` composition root. Forward-looking / pending: live 20 Hz
-sensing-server loop wiring, UWB hardware (ADR-144), and RF-encoder model training
-(ADR-146). Each GitHub issue (#840–#850) lists what is *Built* vs *Integration glue*.

docs/WITNESS-LOG-028.md

@@ -156,25 +156,6 @@ docker inspect ruvnet/wifi-densepose:python --format='{{.Size}}'
 # Expected: ~569 MB
 ```
 
-### Step 10b: Verify CIR Deterministic Proof (ADR-134)
-
-```bash
-bash scripts/verify-cir-proof.sh
-```
-
-**Expected:** `VERDICT: PASS (CIR hash matches)` once the `cir` module is implemented.
-
-Currently outputs `BLOCKED` because `expected_cir_features.sha256` contains a placeholder.
-After the CIR implementation lands, regenerate and commit the hash:
-
-```bash
-cd v2 && cargo run -p wifi-densepose-signal --bin cir_proof_runner \
-  --release --no-default-features -- --generate-hash \
-  > ../archive/v1/data/proof/expected_cir_features.sha256
-```
-
----
-
 ### Step 11: Verify ESP32 Flash (requires hardware on COM7)
 
 ```bash
@@ -231,8 +212,6 @@ Each row is independently verifiable. Status reflects audit-time findings.
 | 31 | On-device ESP32 ML inference | No | **NO** | Firmware streams raw I/Q; inference runs on aggregator |
 | 32 | Real-world CSI dataset bundled | No | **NO** | Only synthetic reference signal (seed=42) |
 | 33 | 54,000 fps measured throughput | Claimed | **NOT MEASURED** | Criterion benchmarks exist but not run at audit time |
-| 34 | CIR estimation (ADR-134, ISTA via NeumannSolver) | Yes | **PASS** | `archive/v1/data/proof/expected_cir_features.sha256`, `scripts/verify-cir-proof.sh`; regenerate after intentional changes: `cd v2 && cargo run -p wifi-densepose-signal --bin cir_proof_runner --release --no-default-features -- --generate-hash > ../archive/v1/data/proof/expected_cir_features.sha256` |
-| 35 | Empty-room baseline calibration (ADR-135, Welford + von Mises) | Yes | **PASS** | `archive/v1/data/proof/expected_calibration_features.sha256`, `scripts/verify-calibration-proof.sh`; regenerate after intentional changes: `cd v2 && cargo run -p wifi-densepose-signal --bin calibration_proof_runner --release --no-default-features -- --generate-hash > ../archive/v1/data/proof/expected_calibration_features.sha256` |
 
 ---
 
@@ -242,8 +221,6 @@ Each row is independently verifiable. Status reflects audit-time findings.
 |--------|-------|
 | Witness commit SHA | `96b01008f71f4cbe2c138d63acb0e9bc6825286e` |
 | Python proof hash (numpy 2.4.2, scipy 1.17.1) | `8c0680d7d285739ea9597715e84959d9c356c87ee3ad35b5f1e69a4ca41151c6` |
-| CIR proof hash (ADR-134) | `120bd7b1f549f57f3773971a389c48c2bdd99b4ab1f205935867a16e95583995` |
-| Calibration proof hash (ADR-135) | `d6bce07ecb1648e6936561df44bf4a3bfc17bb0ba5f692646b2301d105b52f67` |
 | ESP32 frame magic | `0xC5110001` |
 | Workspace crate version | `0.2.0` |
 

docs/WITNESS-LOG-110.md

@@ -57,7 +57,7 @@ This witness separates what was **empirically observed on real silicon today** f
 
 | # | Claim | Why it's not verified |
 |---|---|---|
-| **B1** | "Wi-Fi 6 HE-LTF: 242 subcarriers per HE20 frame" | The only AP in range (`ruv.net`) is 11n-only. Every captured frame is 128 bytes = 64 subcarriers (HT-LTF, `ppdu_type=0`). No HE-SU/HE-MU/HE-TB observed. Even if an 11ax AP were available, **whether ESP-IDF v5.4's CSI callback exposes HE-LTF subcarriers via `wifi_csi_info_t.buf` is an open question** — the public API was designed for HT-LTF, and the driver may quietly downconvert. **Validate by capturing CSI against an 11ax AP and comparing `info->len` between HT and HE frames.**<br><br>**RESOLVED WITH MEASUREMENT (2026-06-11, external — issue #1005, production deployment by @stuinfla):** the open question is answered in both directions. **IDF v5.4's driver blob downconverts** (148 B / 64-subcarrier HT frames, PPDU byte 0x00, on a confirmed-HE link); **IDF v5.5.2 delivers true HE-LTF** — 532 B frames = 256 bins (242 active HE20 tones), PPDU byte 0x01 (HE-SU), ~90% of frames, same board/AP/link. Setup: XIAO ESP32-C6 → hostapd on Intel AX210, 2.4 GHz ch 6, `ieee80211ax=1`. No firmware change required (`acquire_csi_su=1` was already set); the gate was purely the IDF driver version. Three C6 nodes ran this mode simultaneously with ADR-110 ESP-NOW sync. Requires the issue-#1005 version-guard fix in `c6_sync_espnow.c` to build on v5.5.x. |<br><br>**REPLICATED IN-HOUSE (2026-06-11):** same source + fix, fresh IDF v5.5.2 toolchain, original COM12 board (`20:6e:f1:17:00:84`), AP `ruv.net` (11ax 2.4 GHz): **84% of 1,525 captured frames at 532 B / PPDU 0x01 (HE-SU)**, HT minority 148 B / 0x00. Evidence grade: MEASURED (two independent rigs). |
+| **B1** | "Wi-Fi 6 HE-LTF: 242 subcarriers per HE20 frame" | The only AP in range (`ruv.net`) is 11n-only. Every captured frame is 128 bytes = 64 subcarriers (HT-LTF, `ppdu_type=0`). No HE-SU/HE-MU/HE-TB observed. Even if an 11ax AP were available, **whether ESP-IDF v5.4's CSI callback exposes HE-LTF subcarriers via `wifi_csi_info_t.buf` is an open question** — the public API was designed for HT-LTF, and the driver may quietly downconvert. **Validate by capturing CSI against an 11ax AP and comparing `info->len` between HT and HE frames.** |
 | **B2** | "TWT-bounded deterministic CSI cadence (10 ms wake)" | No 11ax AP in range. The TWT setup *call* was exercised live and the graceful fallback path is now correct (A9), but the agreement itself was never accepted. **Validate by associating with an 11ax AP that has TWT Responder=1, then capturing the timestamped CSI cadence vs the wall clock.** |
 | **B3** | "±100 µs cross-node alignment over 802.15.4" | 3 boards initialized their radios with correct EUIs (A4/A5), but **none stepped down from candidate-leader to follower** during repeated 35-second multi-board captures. <br><br>**Coex hypothesis REJECTED**: rebuilt + reflashed all 3 boards with `CONFIG_C6_TIMESYNC_CHANNEL=26` (2480 MHz, non-overlapping with WiFi ch 5 at 2432 MHz). Result identical: 3× candidate, 0× "stepping down". So 2.4 GHz radio coex was NOT the cause. <br><br>**Current leading hypothesis**: OpenThread (CONFIG_OPENTHREAD_ENABLED=y) owns the 802.15.4 radio when its stack is initialized — our weak-symbol overrides of `esp_ieee802154_receive_done` / `_transmit_done` may never be called because OpenThread registers strong handlers. Validation in progress: rebuilding with `CONFIG_OPENTHREAD_ENABLED=n` (raw 802.15.4 only, our beacon protocol is private — no need for the Thread stack). If leader election fires under raw-15.4-only, hypothesis confirmed. <br><br>If raw-only also fails, next move is to dump the actual PHY frame bytes via the IEEE 802.15.4 sniffer mode on a 4th board and diagnose at the frame level. |
 | **B4** | "~5 µA hibernation for battery seed nodes" | No INA / Joulescope current measurement available on this bench. The shipped code uses `esp_deep_sleep_enable_gpio_wakeup` (ext1 path, ESP-IDF default ~10 µA), not a true LP-core polling program. The 5 µA number is the C6 datasheet figure for ULP-level hibernation, not a measured value. **Validate by hooking an INA219/INA226 between the dev board's 3V3 rail and the regulator output, then averaging current over a 60-second cycle with the LP-core armed.** |

docs/adr/ADR-110-esp32-c6-firmware-extension.md

@@ -19,7 +19,7 @@ The production CSI node firmware (`firmware/esp32-csi-node`) was built around th
 
 | C6 capability | What it enables for sensing | Why we can't get it on S3 |
 |---|---|---|
-| **802.11ax (Wi-Fi 6) HE-LTF CSI** | 242 subcarriers per HE20 frame (vs 52 for HT-LTF), HE-MU/HE-TB PPDU types, OFDMA-aware channel sounding. **Hardware-confirmed 2026-06-11** (issue #1005, external production deployment): requires **ESP-IDF ≥ 5.5** — the v5.4 driver blob silently downconverts to 64-subcarrier HT even on a confirmed-HE link; v5.5.2 delivers 532 B frames = 256 bins (242 active tones), PPDU 0x01 (HE-SU). See WITNESS-LOG-110 §B1 (resolved). | S3 radio is HT-only (n) |
+| **802.11ax (Wi-Fi 6) HE-LTF CSI** | 242 subcarriers per HE20 frame (vs 52 for HT-LTF), HE-MU/HE-TB PPDU types, OFDMA-aware channel sounding | S3 radio is HT-only (n) |
 | **802.15.4 (Thread / Zigbee)** | Cross-node time-sync over a separate radio — frees Wi-Fi airtime for CSI, ±100 µs alignment possible without coordination traffic on the sensing channel | S3 has no 802.15.4 |
 | **TWT (Target Wake Time)** | Sensor negotiates a deterministic wake slot with the AP; CSI cadence becomes scheduler-bounded instead of opportunistic | Requires 802.11ax — S3 can't speak it |
 | **LP-core + hibernation (~5 µA)** | Always-on motion gate runs on a separate RISC-V LP core in deep sleep; HP core stays off until a real event | S3 ULP is FSM-only, ~10 µA floor |

docs/adr/ADR-115-home-assistant-integration.md

@@ -2,12 +2,12 @@
 
 | Field | Value |
 |-------|-------|
-| **Status** | **Accepted** (MQTT track P1–P7 + P8a + P9 + P10 shipped 2026-05-23 in PR #778, 410 lib tests, witness bundle VERIFIED) / **Proposed** (Matter SDK wiring P8b deferred to v0.7.1 per §9.10) |
+| **Status** | Proposed |
 | **Date** | 2026-05-23 |
 | **Deciders** | ruv |
-| **Codename** | **HA-DISCO** (MQTT) + **HA-FABRIC** (Matter) + **HA-MIND** (semantic primitives) |
+| **Codename** | **HA-DISCO** (MQTT) + **HA-FABRIC** (Matter) |
 | **Relates to** | ADR-018 (CSI binary frame format), ADR-021 (ESP32 vitals), ADR-031 (RuView sensing-first), ADR-039 (edge vitals packet 0xC511_0002), ADR-079 (camera ground-truth), ADR-103 (cog-person-count), ADR-110 (ESP32-C6 firmware), ADR-114 (cog-quantum-vitals) |
-| **Tracking issue** | [#776](https://github.com/ruvnet/RuView/issues/776) — implementation in PR [#778](https://github.com/ruvnet/RuView/pull/778) |
+| **Tracking issue** | TBD — file under RuView issue tracker, link in §10 |
 | **Related issues** | [#574](https://github.com/ruvnet/RuView/issues/574) (mDNS for seed_url), [#760](https://github.com/ruvnet/RuView/issues/760) (sensing UI), [#761](https://github.com/ruvnet/RuView/issues/761) (HA competitor scan) |
 
 ---

docs/adr/ADR-116-cog-ha-matter-seed.md

@@ -1,116 +0,0 @@
-# ADR-116: Home Assistant + Matter as a Cognitum Seed cog (`cog-ha-matter`)
-
-| Field | Value |
-|-------|-------|
-| **Status** | Proposed — P1 research complete ([`docs/research/ADR-116-ha-matter-cog-research.md`](../research/ADR-116-ha-matter-cog-research.md)). P2 cog scaffold compiles (`v2/crates/cog-ha-matter`, 2/2 unit tests green). |
-| **Date** | 2026-05-23 |
-| **Deciders** | ruv |
-| **Codename** | **HA-COG** — HA + Matter, packaged for the Seed |
-| **Relates to** | [ADR-110](ADR-110-esp32-c6-firmware-extension.md) (C6 firmware substrate), [ADR-115](ADR-115-home-assistant-integration.md) (HA-DISCO + HA-MIND + HA-FABRIC), [ADR-102](ADR-102-edge-module-registry.md) (cog catalog), [ADR-101](ADR-101-pose-estimation-cog.md) (cog packaging precedent) |
-| **Tracking issue** | TBD — file under RuView issue tracker once research dossier lands |
-
----
-
-## 1. Context
-
-ADR-115 shipped the Home Assistant + Matter integration as a **`--mqtt` flag on `wifi-densepose-sensing-server`** — a Rust binary that runs on a Pi / Linux box, consumes UDP frames from the ESP32 fleet, and publishes MQTT for any Home Assistant install to discover. That works, but it makes HA+Matter a *configuration of the aggregator*, not an *installable artifact* a Cognitum Seed user can drop into their existing fleet.
-
-The Cognitum Seed already has a [105-cog catalog](https://seed.cognitum.one/store) — packaged Seed apps (`cog-pose-estimation`, `cog-quantum-vitals`, `cog-person-matching`, etc.) that anyone can install from `app-registry.json`. **There is no `cog-ha-matter` yet.** That's the gap this ADR closes.
-
-The cog packaging precedent is ADR-101 (`cog-pose-estimation`) which ships signed aarch64 + x86_64 binaries on GCS with a `pose_v1.safetensors` weight blob — same shape we'd want for the HA cog.
-
-### 1.1 Why a cog, not just the existing flag?
-
-| Path | Distribution | Discovery | Update | Witness | Local AI |
-|---|---|---|---|---|---|
-| `--mqtt` on `sensing-server` | manual install of the Rust binary | none | manual | none | external |
-| **`cog-ha-matter` Seed cog** | `app-registry.json` listing, one-click install | mDNS / cog browser | OTA via cog runtime | Ed25519 witness chain | local ruvllm + RuVector |
-
-The cog ships HA+Matter as a first-class Seed feature — same UX as installing a pose estimator or person matcher.
-
-### 1.2 What this ADR is *not*
-
-- Not a deprecation of the `--mqtt` flag on sensing-server. The flag stays for Pi / Linux deployments without a Seed; the cog is the Seed-native option.
-- Not a port of HA-MIND / HA-DISCO logic to a different language. The Rust crate already exists; the cog *wraps* it as a Seed-installable artifact + adds Seed-specific surfaces (witness, RuVector, ruvllm-driven thresholds).
-- Not a Matter SDK ship. ADR-115 §9.10 deferred the matter-rs SDK wiring to v0.7.1; this ADR continues that deferral and focuses on the *cog packaging* + *first-class Seed integration*, with Matter Bridge mode shipping in v0.8 once the SDK is ready.
-
-## 2. Decision (provisional — to be refined by the research dossier)
-
-Build **`cog-ha-matter`** as a Cognitum Seed cog with these surfaces:
-
-### 2.1 Core entity surface (unchanged from ADR-115)
-
-The cog republishes the same 21 entities per node (11 raw + 10 semantic primitives) over MQTT auto-discovery, so HA installations behave identically whether the source is a Seed cog or an external sensing-server.
-
-### 2.2 Seed-native enhancements
-
-- **Self-contained MQTT broker (optional)** — if the user doesn't already run mosquitto, the cog can host an embedded broker on `cognitum-seed.local:1883` and act as the HA endpoint directly.
-- **mDNS service advertisement** — `_ruview-ha._tcp` so HA's discovery integration finds the Seed without manual config.
-- **RuVector-backed semantic-primitive thresholds** — instead of static `semantic-thresholds.yaml`, the cog learns per-home thresholds via a SONA-adapted RuVector model (matches the Seed's local-first AI story).
-- **Ed25519 witness chain** — every state transition logged with a Seed signature so care-home / regulated deployments can audit decisions.
-- **OTA firmware coordination** — the cog manages C6 firmware updates for ESP32-C6 nodes in the mesh (ADR-110 substrate).
-
-### 2.3 Matter dimensions (depend on research findings)
-
-The research dossier covers (a) Matter Bridge vs Matter Device mode, (b) Thread Border Router on the Seed's ESP32-S3 (if feasible), (c) CSA certification path, (d) which Matter device classes map cleanly to which entities. **Decision deferred** until the dossier lands; this ADR will be updated in §3 with the specific Matter feature set.
-
-### 2.4 Multi-Seed federation
-
-Multiple Seeds in adjacent rooms coordinate via:
-- ESP-NOW mesh (ADR-110 substrate) for time alignment
-- mDNS for service discovery
-- Witness chain replication for cross-Seed event provenance
-
-The federation model is the natural extension of ADR-110's mesh substrate into the application layer. Specifically: ADR-110 gives us ≤100 µs cross-board sync; this ADR uses that to deduplicate cross-Seed events (one fall, one alert) and reconstruct multi-room transitions (one occupant, room A → hallway → room B).
-
-## 3. Research dossier findings (P1 complete)
-
-Full dossier: [`docs/research/ADR-116-ha-matter-cog-research.md`](../research/ADR-116-ha-matter-cog-research.md). The eight research questions are now answered:
-
-1. **Matter Bridge vs Matter Root** — Matter 1.4 introduced `OccupancySensor (0x0107)` with `RFSensing` feature flag on cluster `0x0406` (revision 5 in Matter 1.4). That's the correct device class for WiFi-CSI sensing — no health/vitals cluster exists in Matter 1.4.2 and won't soon. **Seed acts as Bridge** with N dynamic OccupancySensor endpoints, **not Commissioner** (the C6 sensing nodes stay Accessories only — 320 KB SRAM no PSRAM rules out commissioning).
-2. **Thread Border Router** — ESP32-C6 single-chip TBR confirmed working; `CONFIG_OPENTHREAD_BORDER_ROUTER=y` is the only config step. ADR-110's `c6_timesync.c` already initialises 802.15.4 — TBR is a Kconfig flag away. Real value: HA's Improv-style commissioning works without a separate Thread border router box.
-3. **HACS value-add** — config flow (UI setup wizard), Repairs API (structured error cards), re-authentication, diagnostics download, typed service actions (`set_privacy_mode`, `calibrate_zone`), i18n translations. **Bronze is the minimum bar; Gold (repairs + diagnostics + reconfiguration) is the target.** Start from `hacs.integration_blueprint` template.
-4. **CSA certification** — ~$30-42k first year ($22.5k membership + $10-19k ATL lab fees). **Skippable for v1** by publishing as "Works with HA" instead. CSA re-evaluate at v0.9+ after HACS adoption data lands.
-5. **Cog RAM budget** — 128 MB RAM / 15 % CPU on the Seed appliance (Pi 5 + Hailo-10 variant has more headroom). 10 KB INT8 semantic-primitive classifier fits without PSRAM. Long-lived supervised process with capability scopes `network.mqtt + network.matter + api.ruview_vitals`.
-6. **ruvllm + RuVector latency** — `ruvllm-esp32` v0.3.3 confirms SONA self-optimising adaptation under 100 µs per query. 8→10 INT8 classifier ~10 KB quantised. Per-home threshold tuning via HA thumbs-up/thumbs-down feedback as LoRA-style gradient steps — closes the top user complaint (false positives) without cloud round-trips.
-7. **HIPAA / FDA** — FDA January 2026 General Wellness guidance explicitly classifies HR / sleep / activity-anomaly alerts as **wellness devices** (outside FDA jurisdiction) when marketed without diagnostic claims. Frame fall detection as **"activity anomaly notification"** not "fall diagnosis". `--privacy-mode` audit-only tier (no MQTT state messages, only SHA-256 digests on-Seed) creates a technical PHI barrier. `OccupancySensor (0x0107)` device class keeps the product in the same regulatory category as a smart motion sensor.
-8. **Competitor moat** — Aqara FP300 (Nov 2025): 5 entities, no person count, no vitals, no fall detection. TOMMY: zones only, no vitals, closed-source, paywalled. ESPectre: motion only. **RuView's differentiation** — HR/BR + 17-keypoint pose + 10 semantic primitives + witness chain + SONA adaptation — has no competitor equivalent.
-
-## 4. Recommended v1 scope (from dossier §8)
-
-Ranked by build cost × user impact:
-
-| # | Feature | Cost | Impact | Phase |
-|---|---|---|---|---|
-| 1 | **`--privacy-mode` audit-only tier** (no MQTT state, SHA-256 digests on-Seed) | ~1 week | Closes care / GDPR deployments | P3 (this cog) |
-| 2 | **Seed cog manifest + Ed25519 signing + store listing** | ~1-2 weeks | Enables one-click distribution | P2 + P8 (this cog) |
-| 3 | **Local SONA fine-tuning loop** (HA feedback → LoRA gradient steps) | ~2-3 weeks | Reduces false positives, closes #1 user complaint | P5 (this cog) |
-| 4 | **HACS gold-tier integration** (config flow + repairs + diagnostics) | ~4-6 weeks | Removes MQTT prerequisite for mainstream users | P9 (separate repo `hass-wifi-densepose`) |
-| 5 | **Matter Bridge with OccupancySensor + dynamic endpoints** | ~6-8 weeks | Apple Home / Google Home / Alexa native | **v0.8** dedicated sprint (after HACS adoption data) |
-| 6 | **Embedded MQTT broker (rumqttd) inside the cog** | ~1 week | "Works without external broker" but every HA install already has mosquitto / built-in | **v0.7** deferred — adds ~2 MB binary + ACL config surface for marginal user benefit. Dossier ranking did not include this in the prioritised v1 scope. |
-
-## 4. Implementation phases
-
-| Phase | Scope | Status |
-|---|---|---|
-| **P1** | Research dossier ([`docs/research/ADR-116-ha-matter-cog-research.md`](../research/ADR-116-ha-matter-cog-research.md)) | ✅ **done** — 8 sections, 30+ citations, v1 scope ranked |
-| **P2** | Cog crate scaffold (`v2/crates/cog-ha-matter/`) — Cargo.toml + `src/{lib,main,manifest}.rs`, workspace member, CLI args, `--print-manifest` flag, 2 manifest unit tests | ✅ **done** — `cargo check` + `cargo test` green |
-| **P3** | Wrap existing ADR-115 MQTT publisher as cog entry point | ✅ **wiring done** — `main.rs` boots ADR-115's `publisher::spawn` via `runtime::spawn_publisher` thin wrapper, holds a long-lived `broadcast::Sender<VitalsSnapshot>`, awaits Ctrl-C. Live-handle test green without a broker. Next (P3.5): subscribe to sensing-server `/v1/snapshot` WS and republish into the channel. |
-| **P4** | Seed-native enhancements (mDNS, witness; embedded broker deferred) | ✅ **shipped** — mDNS half: record-builder + ServiceInfo conversion + live responder wired into `main.rs` (HA auto-discovery on `_ruview-ha._tcp` works out of the box, `--no-mdns` flag for restrictive networks). Witness half: hash-chain + JSONL + file persistence + chain-level verify + Ed25519 signing. **Embedded rumqttd broker deferred to v0.7** per dossier §8 ranking — not in the prioritised v1 scope; v1 ships with external-broker only (mosquitto or HA's built-in broker). See §4 v1 scope table. |
-| **P5** | RuVector-backed threshold learning (SONA adaptation) | pending |
-| **P6** | Multi-Seed federation (cross-Seed dedup + witness) | pending |
-| **P7** | Matter Bridge mode (depends on matter-rs / esp-matter readiness) | pending |
-| **P8** | Cog signing + `app-registry.json` listing + Seed Store entry | pending |
-| **P9** | HACS integration repo (`hass-wifi-densepose`) for HA-side install path | pending |
-| **P10** | Witness bundle + CSA-style spec compliance check | pending |
-
-## 5. References
-
-- ADR-101 — `cog-pose-estimation` packaging precedent (signed binaries on GCS, .cog manifest)
-- ADR-102 — edge module registry (`app-registry.json` surfaces all cogs)
-- ADR-110 — ESP32-C6 firmware substrate (mesh time alignment that multi-Seed federation depends on)
-- ADR-115 — HA-DISCO + HA-MIND + HA-FABRIC (the Rust crate this cog wraps)
-- `docs/research/ADR-116-ha-matter-cog-research.md` — companion research dossier (deep-researcher agent in progress)
-- Cognitum Seed store: https://seed.cognitum.one/store
-- Matter spec: https://csa-iot.org/all-solutions/matter/
-- HACS integration target: https://github.com/ruvnet/hass-wifi-densepose (planned)

docs/adr/ADR-117-pip-wifi-densepose-modernization.md

@@ -1,807 +0,0 @@
-# ADR-117: pip `wifi-densepose` modernization via PyO3 + maturin bindings
-
-| Field | Value |
-|-------|-------|
-| **Status** | Proposed |
-| **Date** | 2026-05-24 |
-| **Deciders** | ruv |
-| **Codename** | **PIP-PHOENIX** — rising from a pure-Python server to Rust-core Python bindings |
-| **Relates to** | [ADR-021](ADR-021-esp32-vitals.md) (ESP32 vitals), [ADR-028](ADR-028-esp32-capability-audit.md) (capability audit / witness), [ADR-115](ADR-115-home-assistant-integration.md) (HA-DISCO + HA-MIND MQTT semantics), [ADR-116](ADR-116-cog-ha-matter-seed.md) (HA-COG Seed packaging) |
-| **Tracking issue** | TBD — file under RuView issue tracker |
-
----
-
-## 1. Context
-
-### 1.1 What the pip package is today
-
-`wifi-densepose` v1.1.0 was published to PyPI on **2025-06-07** (two releases the same
-day: 1.0.0 at 13:24 UTC, 1.1.0 at 17:02 UTC). Both wheels carry the tag
-`py3-none-any` — no compiled extension, no platform-specific code. The package is a
-**pure-Python server application** sourced entirely from `archive/v1/`.
-
-The package installs a 40-dependency stack including FastAPI, PyTorch, SQLAlchemy,
-Redis, Celery, OpenCV, asyncpg, psycopg2, and Scapy (`archive/v1/setup.py:46–87`).
-The declared entry points are:
-
-```
-wifi-densepose = src.cli:cli
-wdp             = src.cli:cli
-```
-
-(`archive/v1/setup.py:178–179`)
-
-The public API surface is centred on a FastAPI HTTP server, a SQLAlchemy/postgres
-database layer, and a Redis/Celery task queue — none of which map to the current Rust
-architecture. The `__init__.py` exports `app` (FastAPI), `CSIProcessor`,
-`PhaseSanitizer`, `PoseEstimator`, `RouterInterface`, `ServiceOrchestrator`,
-`HealthCheckService`, and `MetricsService` (`archive/v1/src/__init__.py:54–68`).
-
-### 1.2 Why this matters now
-
-ADR-115 (PR #778, merged 2026-05-23) shipped 21 Home Assistant entities, 10 semantic
-primitives, mTLS, privacy mode, and a full witness bundle from the Rust crate
-`wifi-densepose-sensing-server`. ADR-116 is packaging this as a Cognitum Seed cog.
-Neither surface is reachable from `pip install wifi-densepose` — the pip package cannot
-import a CsiFrame, decode an edge-vitals packet, call a DSP stage, verify a witness
-bundle, or subscribe to the sensing server's MQTT or WebSocket endpoints. The ecosystem
-split is now wide enough that the pip package actively misleads new users about what
-the project does.
-
-Three concrete customer pain points:
-
-1. A Python user who `pip install wifi-densepose` expecting to consume live pose/vitals
-   data gets a FastAPI server that requires postgres + redis, not a library they can
-   script against.
-2. Integrators writing HA automations or Node-RED flows in Python have no idiomatic
-   Python API for the v0.7 telemetry surface (ADR-115 entities, semantic primitives).
-3. The ADR-028 witness chain (deterministic pipeline proof) is Python-based and
-   exercised via `archive/v1/data/proof/verify.py`, but it imports from the v1 stack —
-   it cannot witness the Rust pipeline that is now the production implementation.
-
-### 1.3 What this ADR is *not*
-
-- Not a removal of `archive/v1/` from the repository. The v1 codebase stays as a
-  research archive and its proof bundle stays in `archive/v1/data/proof/`.
-- Not a port of the Rust crates to Python. The Rust workspace (`v2/`) is authoritative
-  and unmodified by this ADR.
-- Not a replacement of the `wifi-densepose-sensing-server` Rust binary. The pip
-  package wraps or clients the binary; it does not reimplement it.
-- Not an overlap with ADR-116 (Seed cog packaging). ADR-116 ships a Seed-installable
-  artifact; ADR-117 ships a Python developer library for scripting, automation, and
-  prototyping against the Rust stack.
-
----
-
-## 2. Current state — evidence
-
-| Artifact | Value | Source |
-|---|---|---|
-| Latest PyPI version | **1.1.0** | `pypi.org/pypi/wifi-densepose/json` |
-| First release date | 2025-06-07T13:24:53Z | PyPI JSON metadata |
-| Latest release date | 2025-06-07T17:02:40Z | PyPI JSON metadata |
-| Months since last release | **~11.5 months** | as of 2026-05-24 |
-| Wheel tag | `py3-none-any` | PyPI simple index |
-| Hard dependencies | 40 (torch, fastapi, sqlalchemy, redis, celery, …) | `setup.py:46–87` |
-| Entry point | `src.cli:cli` | `setup.py:178` |
-| Python requires | `>=3.9` | `setup.py:108` |
-| Classifiers Python versions | 3.9, 3.10, 3.11, 3.12 | PyPI JSON classifiers |
-| Classifiers status | Beta (4) | PyPI JSON classifiers |
-| Current Rust workspace version | **0.3.0** | `v2/Cargo.toml:version` |
-| Rust crates in workspace | 20+ | `v2/Cargo.toml` members |
-| ADR-115 shipped | 2026-05-23 | PR #778 |
-
-The v1 source package (`archive/v1/setup.py:112–215`) was clearly designed as an
-all-in-one server application, not a reusable library. The `find_packages` call at
-line 134 searches from `"."` (the archive root), meaning the wheel ships `src.*` as the
-importable namespace. The proof bundle (`archive/v1/data/proof/verify.py:56–57`) imports
-`src.hardware.csi_extractor.CSIData` and `src.core.csi_processor.CSIProcessor` — v1 pure
-Python only.
-
-**PyPI org presence check:** a search for other `ruvnet`-published PyPI packages
-(`ruvector`, `claude-flow`) returned no matches in the PyPI simple index as of this
-writing. The `wifi-densepose` package is currently the only Python entry point for this
-project's ecosystem.
-
----
-
-## 3. Gap analysis
-
-| Capability | Rust crate(s) | pip v1.1.0 status | Gap severity |
-|---|---|---|---|
-| `CsiFrame` / `CsiMetadata` core types | `wifi-densepose-core` (`types.rs`) | Not present — v1 uses `CSIData` Python class | **Critical** |
-| HR/BR extraction from CSI buffer | `wifi-densepose-vitals` (4-stage pipeline: preprocessor → breathing → heartrate → anomaly) | Stub Python (`src/hardware/csi_extractor.py`) with no DSP | **Critical** |
-| Phase sanitization / noise removal | `wifi-densepose-signal` (`phase_sanitizer`, `csi_processor`, `hampel`) | Python stubs in `src/core/phase_sanitizer.py` | **Critical** |
-| Motion detection + presence scoring | `wifi-densepose-signal` (`motion.rs`, `MotionDetector`) | Not present | **Critical** |
-| RuvSense multistatic sensing (13 modules) | `wifi-densepose-signal/src/ruvsense/` | Not present — ADR-029 post-dates v1 | **Critical** |
-| 17-keypoint pose estimation | `wifi-densepose-nn`, `wifi-densepose-mat` | Stub `PoseEstimator` wrapping a `torch.nn.Module` that requires model weights | **High** |
-| MQTT publisher (21 HA entities) | `wifi-densepose-sensing-server/src/mqtt/` | Not present — ADR-115 post-dates v1 | **High** |
-| Semantic primitives (10 types) | `wifi-densepose-sensing-server/src/semantic/` | Not present | **High** |
-| Matter bridge | `wifi-densepose-sensing-server/src/matter/` | Not present | **High** |
-| WS/REST client for sensing-server | `wifi-densepose-sensing-server` (Axum) | v1 has a separate FastAPI server; no client | **High** |
-| Witness bundle verification | ADR-028 / `scripts/generate-witness-bundle.sh` | `archive/v1/data/proof/verify.py` — proves v1 pipeline only | **High** |
-| ESP32-C6 firmware telemetry (ADR-110) | `wifi-densepose-hardware` + `wifi-densepose-sensing-server` | Not present | **Medium** |
-| Cross-viewpoint fusion (RuVector) | `wifi-densepose-ruvector/src/viewpoint/` | Not present | **Medium** |
-| Semantic-primitive MQTT payload | `wifi-densepose-sensing-server/src/semantic/bus.rs` | Not present | **Medium** |
-| PostgreSQL + Redis server mode | `archive/v1/` | Present (v1 only) | Low (not SOTA) |
-| FastAPI HTTP REST server | `archive/v1/src/app.py` | Present (v1 only) | Low (not SOTA) |
-
----
-
-## 4. Decision
-
-Adopt **PyO3 + maturin Python extension bindings** as the primary modernization path,
-shipping the pip package as a platform-native wheel (`manylinux`, `macosx`, `win-amd64`)
-with compiled Rust extension modules, plus a pure-Python WS/MQTT client layer that talks
-to a running `wifi-densepose-sensing-server` instance.
-
-This path is called **PIP-PHOENIX**.
-
-### 4.1 Why PyO3 + maturin over the three rejected alternatives
-
-| Criterion | **PyO3 + maturin** (chosen) | Subprocess wrapper | REST/WS client only | Pure Python reimpl |
-|---|---|---|---|---|
-| Performance for DSP | Native Rust speed, zero copy | IPC overhead per call | N/A — no local DSP | Python bottleneck |
-| Binary size in wheel | Core + vitals + signal only: ~2 MB stripped | Full sensing-server binary: ~15–30 MB | Minimal (~50 kB) | Minimal (~100 kB) |
-| Works offline / no server | Yes | Yes (binary bundled) | No — server required | Partial |
-| Proof bundle can cover Rust pipeline | Yes — bindings call the same Rust code the server uses | Partial — server is a black box | No | No |
-| Install experience | `pip install wifi-densepose` — wheel has no system deps | `pip install` downloads 25 MB binary | `pip install` — pure Python | `pip install` — pure Python |
-| Maintenance surface | Python bindings + Rust workspace | Python thin shim | Python client | Python reimpl must track Rust |
-| Async / tokio support | PyO3 0.28 `pyo3-asyncio` or `pyo3-async-runtimes` for async export; sync entry points for the DSP hot path | N/A | Native asyncio on client | N/A |
-| GIL concern | DSP-heavy calls release GIL via `py.allow_threads`; tokio runtime per module | N/A | None | N/A |
-| Fits existing architecture | Core + vitals + signal already have clean public APIs (`lib.rs` re-exports) | Requires sensing-server to be running | Requires sensing-server | Forks the domain model |
-
-**Subprocess wrapper** is rejected because shipping a 25 MB pre-built server binary
-inside every pip wheel is an unacceptably heavy install, and it makes offline scripting
-impossible without starting the server.
-
-**REST/WS client only** is rejected because it provides zero DSP utility offline and
-cannot close the witness gap — the proof bundle must exercise the same pipeline code.
-
-**Pure Python reimplementation** is the root cause of the current drift and is
-explicitly rejected.
-
-The chosen path starts small: **bind only the three crates with the highest Python
-utility** (`wifi-densepose-core`, `wifi-densepose-vitals`, `wifi-densepose-signal`),
-ship a `py3-none-any` pure-Python WS/MQTT client layer as a separate sub-module, and
-grow from there.
-
----
-
-## 5. Detailed design
-
-### 5.1 Rust crates bound in v2.0 (first wheel)
-
-Three crates are in scope for the initial binding. They were chosen because they have
-no heavy system dependencies (no libtorch, no ONNX runtime), have stable `pub` re-export
-surfaces in `lib.rs`, and directly address the three most-requested missing capabilities.
-
-| Crate | Exported Python types / functions | Binding rationale |
-|---|---|---|
-| `wifi-densepose-core` | `CsiFrame`, `CsiMetadata`, `Keypoint`, `KeypointType`, `PersonPose`, `PoseEstimate`, `Confidence`, `BoundingBox` | Foundation types shared by all other crates; without these users can't even describe a frame |
-| `wifi-densepose-vitals` | `CsiVitalPreprocessor`, `BreathingExtractor`, `HeartRateExtractor`, `VitalAnomalyDetector`, `VitalSignStore`, `VitalReading`, `VitalEstimate`, `AnomalyAlert` | The most-asked-for surface: HR/BR from a CSI buffer in 4 lines of Python |
-| `wifi-densepose-signal` | `CsiProcessor`, `CsiProcessorConfig`, `PhaseSanitizer`, `MotionDetector`, `MotionScore`, `FeatureExtractor`, `HardwareNormalizer` | DSP pipeline that produces the features vitals and pose estimation consume |
-
-Crates **deferred to P6+**: `wifi-densepose-nn` (requires libtorch or candle — wheel
-size risk), `wifi-densepose-mat` (depends on nn), `wifi-densepose-ruvector` (RuVector
-GNN types — high value but adds ruvector-gnn 2.0.5 link dependency),
-`wifi-densepose-hardware` (ESP32 HAL — not Python-scripting friendly).
-
-### 5.2 New workspace member: `python/`
-
-A new crate `python/` is added as a workspace member at `v2/crates/wifi-densepose-py/`.
-It is a `cdylib` that re-exports the three bound crates behind a single maturin module
-named `wifi_densepose._core`.
-
-```toml
-# v2/crates/wifi-densepose-py/Cargo.toml (sketch)
-[package]
-name = "wifi-densepose-py"
-version.workspace = true
-edition.workspace = true
-
-[lib]
-name = "_core"
-crate-type = ["cdylib"]
-
-[dependencies]
-pyo3 = { version = "0.28", features = ["extension-module", "abi3-py310"] }
-wifi-densepose-core   = { path = "../wifi-densepose-core", features = ["serde"] }
-wifi-densepose-vitals = { path = "../wifi-densepose-vitals" }
-wifi-densepose-signal = { path = "../wifi-densepose-signal" }
-```
-
-The `abi3-py310` feature locks the stable ABI to CPython 3.10+, so one wheel binary
-works across 3.10, 3.11, 3.12, and 3.13 without recompilation.
-
-PyO3 bindings pattern (example for `CsiFrame`):
-
-```rust
-// v2/crates/wifi-densepose-py/src/core_types.rs
-use pyo3::prelude::*;
-use wifi_densepose_core::CsiFrame as RustCsiFrame;
-
-#[pyclass(name = "CsiFrame")]
-#[derive(Clone)]
-pub struct PyCsiFrame {
-    inner: RustCsiFrame,
-}
-
-#[pymethods]
-impl PyCsiFrame {
-    #[new]
-    fn new(amplitudes: Vec<f32>, phases: Vec<f32>, n_subcarriers: usize,
-           sample_index: u64, sample_rate_hz: f32) -> Self {
-        Self { inner: RustCsiFrame { amplitudes, phases, n_subcarriers,
-                                     sample_index, sample_rate_hz } }
-    }
-
-    #[getter] fn amplitudes(&self) -> Vec<f32> { self.inner.amplitudes.clone() }
-    #[getter] fn phases(&self) -> Vec<f32> { self.inner.phases.clone() }
-    #[getter] fn n_subcarriers(&self) -> usize { self.inner.n_subcarriers }
-}
-```
-
-DSP calls that execute >1 ms release the GIL:
-
-```rust
-#[pymethods]
-impl PyCsiProcessor {
-    fn process<'py>(&mut self, py: Python<'py>, frame: &PyCsiFrame)
-        -> PyResult<Option<PyProcessedSignal>>
-    {
-        py.allow_threads(|| self.inner.process(&frame.inner))
-            .map(|opt| opt.map(PyProcessedSignal::from))
-            .map_err(|e| PyRuntimeError::new_err(e.to_string()))
-    }
-}
-```
-
-### 5.3 pip package layout
-
-```
-wifi-densepose/                  ← PyPI package name (unchanged)
-  wifi_densepose/                ← importable namespace
-    __init__.py                  ← re-exports core types + version
-    _core.pyd / _core.so         ← compiled PyO3 extension (maturin build output)
-    vitals.py                    ← thin Python wrapper + docstrings over _core vitals types
-    signal.py                    ← thin Python wrapper over _core signal types
-    client/
-      __init__.py
-      ws.py                      ← asyncio WebSocket client for sensing-server /ws/sensing
-      mqtt.py                    ← paho-mqtt wrapper for ruview/<node_id>/raw/* topics
-      ha.py                      ← helpers for HA-DISCO payloads (read-only, mirrors ADR-115 §3.2)
-    witness/
-      __init__.py
-      verify.py                  ← Python-callable witness verifier (re-creates ADR-028 proof
-                                     over the Rust pipeline via PyO3 bindings, not archive/v1/)
-    compat/
-      v1.py                      ← import shim that raises MigrationError (see §9)
-    py.typed                     ← PEP 561 marker
-```
-
-The import path intentionally maps to Rust crate names:
-
-```python
-from wifi_densepose import CsiFrame           # core types
-from wifi_densepose.vitals import BreathingExtractor, HeartRateExtractor
-from wifi_densepose.signal import CsiProcessor, MotionDetector
-from wifi_densepose.client.ws import SensingClient
-from wifi_densepose.witness import verify_bundle
-```
-
-### 5.4 PyPI distribution — wheel matrix
-
-Published as `wifi-densepose==2.0.0` using **cibuildwheel** driven by GitHub Actions.
-
-| Platform | Arch | CPython | Tag (stable ABI) |
-|---|---|---|---|
-| `manylinux_2_28` | x86_64 | 3.10+ | `cp310-abi3-manylinux_2_28_x86_64` |
-| `manylinux_2_28` | aarch64 | 3.10+ | `cp310-abi3-manylinux_2_28_aarch64` |
-| `macosx_11_0` | x86_64 | 3.10+ | `cp310-abi3-macosx_11_0_x86_64` |
-| `macosx_11_0` | arm64 | 3.10+ | `cp310-abi3-macosx_11_0_arm64` |
-| `win` | amd64 | 3.10+ | `cp310-abi3-win_amd64` |
-| sdist | — | — | source fallback |
-
-The `abi3-py310` flag means **one binary per OS/arch** covers all supported Python
-versions — 5 wheels total plus an sdist, compared to the 20-wheel matrix that would be
-needed without stable ABI.
-
-```yaml
-# .github/workflows/pip-release.yml (sketch)
-- uses: pypa/cibuildwheel@v2
-  with:
-    package-dir: v2/crates/wifi-densepose-py
-    output-dir: dist
-  env:
-    CIBW_BUILD: "cp310-*"
-    CIBW_ARCHS_LINUX: "x86_64 aarch64"
-    CIBW_ARCHS_MACOS: "x86_64 arm64"
-    CIBW_ARCHS_WINDOWS: "AMD64"
-    CIBW_BEFORE_BUILD: "pip install maturin"
-    CIBW_BUILD_FRONTEND: "build[uv]"
-```
-
-### 5.5 CLI parity
-
-The pip wheel installs a `wifi-densepose` console script. In v2 this script is a thin
-Python shim that:
-
-1. Checks whether `wifi-densepose-sensing-server` binary is on `PATH` (installed
-   separately via a platform-specific binary distribution or `cargo install`).
-2. If found: proxies `wifi-densepose serve`, `wifi-densepose stream`, etc. to the Rust
-   binary via `subprocess.run`.
-3. If not found: falls back to the PyO3 module for offline DSP commands
-   (`wifi-densepose vitals --file recording.jsonl`).
-
-This is explicitly **not** a reimplementation of the CLI — the Rust binary
-(`wifi-densepose-cli/src/main.rs`, currently exposes `mat` and `version` subcommands)
-is the authoritative CLI. The pip shim is a discovery/convenience layer.
-
-### 5.6 WS/MQTT client layer
-
-`wifi_densepose.client.ws.SensingClient` is a pure-Python asyncio client wrapping the
-sensing-server WebSocket at `/ws/sensing`:
-
-```python
-async with SensingClient("ws://localhost:8765/ws/sensing") as client:
-    async for msg in client.stream():
-        if msg.type == "edge_vitals":
-            print(msg.breathing_rate_bpm, msg.heartrate_bpm)
-```
-
-`wifi_densepose.client.mqtt.RuViewMqttClient` wraps paho-mqtt and subscribes to
-`ruview/<node_id>/raw/+` as defined in ADR-115 §3.2.
-
-Both clients are **pure Python** (no PyO3) and are optional dependencies (`pip install
-wifi-densepose[client]`). They depend on `websockets>=12` and `paho-mqtt>=2` respectively.
-
-### 5.7a Beamforming Feedback Loop Data (BFLD) support — new binding target
-
-**Added 2026-05-24 per maintainer feedback during P3 implementation.**
-
-BFLD is the transmitter-side, AP-station-loop view of the WiFi channel
-— compressed beamforming feedback frames that 802.11ac/ax/be stations
-send to the AP per sounding cycle. From a sensing perspective it
-complements receiver-side CSI:
-
-| | Receiver-side CSI (current) | BFLD (this addition) |
-|---|---|---|
-| Source | RX side of the radio (e.g. Nexmon CSI on Pi 5, ESP32 promisc cb) | Sniffed BFR frames in the air or `mac80211` ACK trace |
-| Subcarriers (HE20) | 52 (HT-LTF) or 242 (HE-LTF) | Up to 996 (HE160 compressed BFR) — denser |
-| Hardware requirements | Patched Broadcom/Cypress or ESP32 specifically | **Any** 802.11ac+ station-AP pair — no patched firmware |
-| Privacy model | Captures everyone in radio range | Same |
-| Maturity in repo | Production (ADR-014, ADR-018, ADR-039) | Research; no Rust crate yet |
-| Suitable use case | Through-wall pose + vitals | Dense subcarrier reflection profile for AETHER-class biometric (ADR-024) and the soul-signature spec (`docs/research/soul/`) |
-
-#### Binding strategy
-
-Because the Rust workspace has no `wifi-densepose-bfld` crate yet, P3
-ships a **forward-compatible Python trait surface** that the future
-Rust crate plugs into without changing the Python API:
-
-```python
-from wifi_densepose import BfldFrame, BfldReport
-
-# Today (P3): construct from a parsed BFR feedback matrix (the bring-
-# your-own-parser path). Users on Pi 5 + Wireshark BFR dissector
-# pipe frames in directly.
-frame = BfldFrame.from_compressed_feedback(
-    timestamp_ms=…,
-    sounding_index=…,
-    sta_mac="aa:bb:cc:…",
-    bandwidth_mhz=80,
-    n_subcarriers=996,
-    feedback_matrix=…,  # numpy ndarray complex64 [Nr × Nc × Nsc]
-)
-
-# P3 also ships a stub `BfldReport` aggregator that mirrors how
-# `VitalEstimate` aggregates `VitalReading`s. Users who have BFR
-# pipelines feeding RuView can use this today via the
-# bring-your-own-parser path.
-
-# Tomorrow (post-v2.0): the `wifi-densepose-bfld` Rust crate (TBD —
-# separate ADR-1xx) provides ingestion from Nexmon `nl80211` traces +
-# kernel `mac80211` debugfs hooks, and the pip wheel transparently
-# binds it without changing this Python surface.
-```
-
-#### Why this matters
-
-Three reasons BFLD belongs in v2.0 rather than waiting for the Rust
-core:
-
-1. **Customer pull**. Several integrators reading the ADR-115 release
-   notes asked about WiFi-6 dense-subcarrier capture; the answer is
-   BFLD, and we want the API stable before they build pipelines.
-2. **Soul-signature dependency**. The soul-signature research spec
-   (`docs/research/soul/specification.md`) lists "Subcarrier Reflection
-   Profile" as one of seven biometric channels. At HE20/HE80 the
-   dense BFR subcarriers are the right input — exposing `BfldFrame`
-   now lets researchers prototype the channel without waiting on a
-   Rust ingestion crate.
-3. **Cross-vendor portability**. CSI ingestion needs patched
-   firmware. BFR ingestion works on stock 802.11ac/ax hardware
-   (capture via `tcpdump`/Wireshark + a BFR dissector). Shipping the
-   Python data structures first gives the community a way to feed
-   RuView from gear we don't directly support.
-
-#### Implementation surface in P3
-
-Lands as a new module `bindings/bfld.rs` (~150 lines, three
-`#[pyclass]` types):
-
-- `BfldFrame` (frozen) — one compressed feedback matrix snapshot.
-  Constructors: `from_compressed_feedback(...)` and
-  `from_uncompressed_v(...)` (the 802.11n V-matrix form).
-  Properties: `timestamp_ms`, `sounding_index`, `sta_mac`,
-  `bandwidth_mhz`, `n_subcarriers`, `n_rows` (Nr), `n_cols` (Nc),
-  `feedback_matrix` (numpy ndarray complex64).
-- `BfldReport` (frozen) — aggregator over a window of `BfldFrame`s.
-  Properties: `n_frames`, `timestamp_first`, `timestamp_last`,
-  `mean_amplitude_per_subcarrier`, `coherence_score`. The Python
-  side gives users a stable handle for "all BFR data in this 60-s
-  scan" without leaking the storage representation.
-- `BfldKind` (`#[pyclass(eq, eq_int, hash, frozen)]`) — enum
-  enumerating the BFR variants we support: `CompressedHE20`,
-  `CompressedHE40`, `CompressedHE80`, `CompressedHE160`,
-  `UncompressedHT20`, `UncompressedHT40`.
-
-Stub Rust implementation lives in `python/src/bfld_stub.rs` until
-the proper Rust crate exists; it's intentionally not in v2/crates/.
-A new ADR-1xx will own the Rust ingestion crate when we commit to it.
-
-#### Open questions added
-
-- §9.11 — Should BFLD ingestion live in a new `wifi-densepose-bfld`
-  crate or in `wifi-densepose-signal` extended?
-- §9.12 — Per-vendor BFR variant compatibility (Broadcom vs Intel vs
-  Qualcomm encode the compressed angles slightly differently) — how
-  much normalisation belongs in the Python binding vs. the future
-  Rust crate?
-
-### 5.7 Witness chain (re-rooted to the Rust pipeline)
-
-`wifi_densepose.witness.verify_bundle(path)` replaces the v1 proof verification with a
-new chain that exercises the Rust pipeline via PyO3:
-
-```python
-from wifi_densepose.witness import verify_bundle
-
-result = verify_bundle("dist/witness-bundle-ADR028-*/")
-assert result.verdict == "PASS", result.detail
-```
-
-Internally it:
-1. Loads the 1,000-frame reference JSON from the bundle.
-2. Feeds each frame through `PyCsiProcessor` (PyO3 binding of the Rust `CsiProcessor`).
-3. Hashes the output using the same SHA-256 scheme as `archive/v1/data/proof/verify.py`.
-4. Compares against the published hash in `expected_features.sha256`.
-
-The v1 proof (`archive/v1/data/proof/verify.py`) is **preserved unchanged** — it
-continues to prove the v1 pipeline. The new `witness.py` proves the v2/Rust pipeline.
-Both can coexist; the ADR-028 witness bundle ships with both.
-
----
-
-## 6. Migration path (phased)
-
-```
-P1  ──►  P2  ──►  P3  ──►  P4  ──►  P5  ──►  P6+
-scaffold  core   vitals+   client   publish  deferred
-          types  signal    layer    v2.0.0
-```
-
-### P1 — Scaffold (1 week)
-
-- [ ] Add `v2/crates/wifi-densepose-py/` as workspace member.
-- [ ] `Cargo.toml`: `crate-type = ["cdylib"]`, pyo3 0.28 + `abi3-py310`, no
-  workspace deps yet (empty module compiles and imports).
-- [ ] `pyproject.toml` at repo root `python/` with `[build-system] requires =
-  ["maturin>=1.8"]` and `[tool.maturin] features = ["pyo3/extension-module"]`.
-- [ ] CI job: `maturin develop` on ubuntu-latest in a Python 3.12 venv; import
-  `wifi_densepose._core` succeeds.
-- [ ] Publish `wifi-densepose==1.99.0` to PyPI with a migration notice in the
-  module body (see §9 — no new features, just the tombstone release).
-
-### P2 — Core type bindings (1 week)
-
-- [ ] Bind `CsiFrame`, `CsiMetadata`, `Confidence`, `Keypoint`, `KeypointType`,
-  `BoundingBox`, `PoseEstimate`, `PersonPose` from `wifi-densepose-core`.
-- [ ] All types: `__repr__`, `__eq__`, `__hash__` where meaningful; serde JSON
-  round-trip via `pyo3-serde` or manual `to_dict()` / `from_dict()`.
-- [ ] Add `py.typed` + stub `.pyi` file generated by `pyo3-stub-gen`.
-- [ ] Unit tests: `tests/test_core.py` — construct each type, round-trip JSON.
-
-### P3 — Vitals + signal DSP bindings (2 weeks)
-
-- [ ] Bind the full 4-stage vitals pipeline:
-  `CsiVitalPreprocessor`, `BreathingExtractor`, `HeartRateExtractor`,
-  `VitalAnomalyDetector`, `VitalSignStore`, `VitalReading`, `VitalEstimate`,
-  `AnomalyAlert`.
-- [ ] Bind signal DSP entry points: `CsiProcessor`, `CsiProcessorConfig`,
-  `PhaseSanitizer`, `MotionDetector`, `HardwareNormalizer`.
-- [ ] GIL release (`py.allow_threads`) on all calls >0.5 ms (measured in bench).
-- [ ] Integration test: feed 1,000 frames from `archive/v1/data/proof/sample_csi_data.json`
-  through the PyO3 vitals pipeline; assert output is deterministic across runs.
-- [ ] Re-implement `witness/verify.py` using P3 bindings; compare SHA-256 against the
-  v1 expected hash. **Note:** the hash will differ because the Rust and Python
-  processors are not identical — generate and publish a new `expected_features_v2.sha256`.
-
-### P4 — WS/MQTT client layer (1 week)
-
-- [ ] Implement `wifi_densepose.client.ws.SensingClient` (asyncio, `websockets>=12`).
-- [ ] Implement `wifi_densepose.client.mqtt.RuViewMqttClient` (paho-mqtt 2.x).
-- [ ] Add `wifi_densepose.client.ha` helpers that parse ADR-115 MQTT discovery payloads
-  into Python dataclasses.
-- [ ] Integration test: spin up `sensing-server` in Docker with `--mock-frames`;
-  assert `SensingClient` receives `edge_vitals` messages.
-
-### P5 — First cibuildwheel publish as v2.0.0 (1 week)
-
-- [ ] `.github/workflows/pip-release.yml` — cibuildwheel matrix (5 wheels + sdist).
-- [ ] `python_requires = ">=3.10"` (stable ABI base).
-- [ ] Populate `pyproject.toml` with minimal `install_requires`: `pyo3` is a build dep,
-  not a runtime dep. Runtime extras: `[client]` adds `websockets>=12,paho-mqtt>=2`.
-- [ ] `pip install wifi-densepose==2.0.0` and smoke-test on each CI platform.
-- [ ] PyPI publish via Trusted Publisher (OIDC, no API token in secrets).
-- [ ] Announce: `wifi-densepose==1.99.0` tombstone already on PyPI; `v2.0.0` replaces
-  it in search results.
-
-### P3.5 — BFLD binding surface (concurrent with P3)
-
-**Added 2026-05-24 per maintainer feedback.** See §5.7a for the rationale.
-
-- [ ] `python/src/bindings/bfld.rs` — `BfldFrame`, `BfldReport`,
-  `BfldKind` `#[pyclass]` wrappers backed by a stub Rust impl
-  pending the v3 `wifi-densepose-bfld` crate.
-- [ ] `python/src/bfld_stub.rs` — minimal in-crate stub storage
-  (vec of compressed feedback matrices) so the Python API is
-  fully usable today even before the Rust ingestion crate lands.
-- [ ] Numpy bridge for `feedback_matrix` (Complex64 ndarray) — same
-  approach as `CsiFrame.amplitude` from P3.
-- [ ] Tests covering: per-bandwidth constructor paths
-  (HE20/HE40/HE80/HE160 + HT20/HT40), n_subcarriers contract,
-  coherence_score sanity, BfldKind hashability + equality.
-- [ ] Forward-compat contract test: `BfldFrame` constructed today
-  from a numpy ndarray must round-trip through (de)serialisation
-  identically once the Rust crate exists.
-- [ ] §9.11 + §9.12 open questions raised so the eventual Rust crate
-  has clear decisions waiting for it.
-
-P3.5 is concurrent with P3 (no new schedule cushion needed) because
-the Python surface is independent of the rest of the v2/ workspace.
-Land in the same wheel as P3.
-
-### P6+ — Deferred
-
-- [ ] `wifi-densepose-bfld` Rust crate — proper ingestion from
-  Nexmon BFR pcaps + `mac80211` debugfs. Replaces the P3.5 stub
-  storage without changing the Python API. Owns its own ADR-1xx.
-- [ ] `wifi-densepose-nn` bindings (libtorch / candle wheel size TBD — see Open
-  Questions §13.3).
-- [ ] `wifi-densepose-ruvector` bindings (RuVector attention types).
-- [ ] MQTT/Matter integration helpers (`wifi_densepose.client.matter`).
-- [ ] Deprecation notice on `wifi-densepose==1.x` releases (PyPI yank — see §9).
-- [ ] `wifi-densepose-sensing-server` binary distribution via pip extra
-  (`pip install wifi-densepose[server]` fetches pre-built binary for the platform).
-- [ ] HACS Python integration built on top of the pip client layer (follow-on to
-  ADR-115 §6.A).
-
----
-
-## 7. Compatibility and deprecation
-
-### 7.1 Version bump strategy
-
-`wifi-densepose==2.0.0` is a **hard major-version break**. The 1.x import namespace
-`src.*` is incompatible with the 2.x namespace `wifi_densepose.*`. There is no shim
-that can bridge them transparently.
-
-### 7.2 Tombstone release: v1.99.0
-
-Before publishing v2.0.0, publish `wifi-densepose==1.99.0` as a pure-Python sdist/wheel
-whose sole content is:
-
-```python
-# wifi_densepose/__init__.py  (v1.99.0)
-raise ImportError(
-    "wifi-densepose 1.x has been superseded by v2.0.0 which wraps "
-    "the Rust-based stack. Run:\n\n"
-    "    pip install wifi-densepose==2.0.0\n\n"
-    "Migration guide: https://github.com/ruvnet/RuView/blob/main/docs/pip-migration.md\n"
-    "Legacy v1 source: archive/v1/ in the repository"
-)
-```
-
-This ensures any project pinned to `wifi-densepose>=1` that upgrades to 1.99.0 gets a
-clear error rather than a silent broken import.
-
-### 7.3 PyPI yank strategy
-
-After v2.0.0 is stable (90-day observation window):
-
-- Yank `wifi-densepose==1.0.0` — never had a separate stable release period; was
-  superseded 4 hours after publication.
-- Leave `wifi-densepose==1.1.0` un-yanked but deprecated in the description.
-- Publish `wifi-densepose==1.99.0` as the canonical 1.x landing page (raise error).
-
-Yanked versions remain installable with `pip install wifi-densepose==1.1.0 --force`
-so users with reproducible builds pinned to exact versions are not broken silently.
-
-### 7.4 Semver
-
-| Version | Content |
-|---|---|
-| 1.0.0 – 1.1.0 | Legacy Python server (archive/v1/) |
-| **1.99.0** | Tombstone: ImportError migration notice |
-| **2.0.0** | PyO3 Rust bindings + WS/MQTT client |
-| 2.x.y | Additive bindings + client improvements |
-| 3.0.0 | If/when nn bindings added (libtorch wheel size may force a separate package) |
-
----
-
-## 8. Alternatives considered and rejected
-
-### Alt-A: Subprocess wrapper
-
-Package the pre-built `wifi-densepose-sensing-server` Rust binary inside the pip wheel.
-Python calls it via `subprocess`. **Rejected** because: the binary is 15–30 MB stripped;
-the install footprint is prohibitive; offline DSP scripting still requires the server to
-be running; the witness chain cannot exercise Rust code through a black-box binary.
-
-### Alt-B: REST/WS client only
-
-Ship a pure-Python package that is purely a client to a running `sensing-server`
-instance. **Rejected** because: it provides zero offline utility; it cannot host the
-witness chain over the Rust pipeline; it solves the "Python access to telemetry" problem
-but not the "Python DSP / prototyping" problem that academic and embedded users need.
-
-### Alt-C: Pure Python reimplementation
-
-Rewrite the DSP pipeline in pure Python/NumPy to reach parity with the Rust
-implementation. **Rejected explicitly** — this is the root cause of the current 11-month
-drift and the pattern this ADR is designed to exit. Any Python reimplementation will
-immediately begin drifting again as the Rust stack evolves.
-
----
-
-## 9. Risks
-
-| Risk | Likelihood | Severity | Mitigation |
-|---|---|---|---|
-| **Build matrix complexity** — 5 target triples × cibuildwheel setup; CI time; QEMU for aarch64 cross-compile | High | Medium | Use `abi3-py310` (5 wheels not 20); QEMU aarch64 emulation available in GitHub Actions; maturin handles auditwheel automatically |
-| **Binary size** — future nn/ONNX bindings may push wheel past 50 MB | Medium | High | Keep nn bindings in a separate `wifi-densepose-nn` PyPI package; keep core+vitals+signal wheel lean (~2 MB stripped) |
-| **GIL / async issues** — PyO3 wrapping tokio crates requires careful runtime management; `py.allow_threads` must be used around all blocking Rust calls | High | High | Restrict initial bindings to synchronous Rust APIs (vitals, signal, core are all sync); async sensing-server client stays in pure-Python `client/ws.py` |
-| **Maintainer overhead** — two languages, two build systems, one PyPI package | Medium | Medium | maturin unifies the build; CI handles publishing; start with 3 bound crates only |
-| **1.x user breakage** — users pinned to `wifi-densepose>=1,<2` will get the tombstone | Low | Medium | 1.99.0 tombstone gives a clear error; maintain 1.1.0 on PyPI un-yanked for 90 days post-v2 |
-| **Windows Rust toolchain in CI** — linking PyO3 on Windows requires MSVC or mingw; extra CI complexity | Medium | Medium | GitHub Actions `windows-latest` has MSVC; maturin + cibuildwheel handle this natively |
-| **Stable ABI limitations** — `abi3` precludes some advanced PyO3 features (e.g. `Buffer` protocol) | Low | Low | Core/vitals/signal types are scalar/Vec<f32> — no need for buffer protocol in P2–P3 |
-| **PyPI name ownership** — we own `wifi-densepose` on PyPI (confirmed via rUv author field) | Low | Low | Confirm with `pypi.org/user/ruvnet` before publishing |
-
----
-
-## 10. Acceptance criteria
-
-The following checks must all pass before ADR-117 is considered Accepted:
-
-- [ ] `pip install wifi-densepose==2.0.0` succeeds on Python 3.10, 3.11, 3.12, 3.13
-  on linux/x86_64, macos/arm64, and windows/amd64 in a clean venv with no extra build tools.
-- [ ] `python -c "import wifi_densepose; print(wifi_densepose.__version__)"` prints `2.0.0`.
-- [ ] `python -c "from wifi_densepose import CsiFrame; f = CsiFrame([1.0]*56, [0.0]*56, 56, 0, 100.0); print(f)"` produces a non-error repr.
-- [ ] The 4-stage vitals pipeline processes 1,000 frames in under 500 ms on a
-  reference machine (CPython 3.12, linux x86_64, no GPU).
-- [ ] `wifi_densepose.witness.verify_bundle(path)` returns `verdict="PASS"` for a
-  freshly generated witness bundle from `scripts/generate-witness-bundle.sh`.
-- [ ] `wifi_densepose.client.ws.SensingClient` receives at least one `edge_vitals`
-  message from a `sensing-server --mock-frames` instance within 5 seconds.
-- [ ] `pip install wifi-densepose==1.99.0` raises `ImportError` with the migration URL.
-- [ ] The compiled `_core` extension has no unresolved dynamic library dependencies
-  beyond libc/msvcrt (verified by `auditwheel show` on Linux, `delocate-listdeps` on macOS).
-- [ ] Type stubs (`wifi_densepose/*.pyi`) are present; `mypy --strict` passes on the
-  example code in `examples/vitals_from_buffer.py`.
-- [ ] Total wheel size for core+vitals+signal: `≤ 5 MB` per platform.
-
----
-
-## 11. Open questions
-
-1. **Stable ABI base version**: `abi3-py310` drops support for Python 3.9, which v1.1.0
-   declared. Is Python 3.9 EOL-enough (EOL 2025-10-05) to drop cleanly? *Tentative: yes,
-   drop 3.9. Use abi3-py310.*
-
-2. **Package name for nn bindings**: if `wifi-densepose-nn` bindings require a 30 MB
-   libtorch wheel, should they live at `wifi-densepose-nn` (separate PyPI package) or
-   as an optional heavy extra of `wifi-densepose[nn]`? *Tentative: separate package to
-   avoid polluting the lean wheel.*
-
-3. **Witness hash continuity**: the Rust pipeline will produce a different SHA-256 than
-   the v1 Python pipeline for the same input frames. The new `expected_features_v2.sha256`
-   must be generated and committed before v2.0.0 ships. Who generates it, and how is
-   the generation process itself witnessed? *Tentative: generate in CI, commit hash to
-   `archive/v1/data/proof/`, include in ADR-028 matrix.*
-
-4. **`ruv-neural` crate**: `v2/crates/ruv-neural/` exists in the workspace. Is it a
-   candidate for early Python bindings (useful for training-loop scripting), or should
-   it wait for the nn/train tier? *Tentative: defer — it depends on training backends.*
-
-5. **Tokio runtime**: `wifi-densepose-sensing-server` is tokio-based, but the three
-   crates bound in P2–P3 (`core`, `vitals`, `signal`) are synchronous. Are there any
-   hidden tokio dependencies that would force a runtime into the extension module?
-   *Tentative: inspect each crate's Cargo.toml for tokio deps before P1 scaffold.*
-
-6. **`pyo3-stub-gen` vs manual stubs**: automated stub generation from PyO3 has rough
-   edges for generics and newtype patterns. Should we hand-write `.pyi` stubs for the
-   first release? *Tentative: use `pyo3-stub-gen` for scaffolding, hand-tune for public
-   API.*
-
-7. **`wifi_densepose` vs `wifi-densepose` namespace**: the pip package name uses a dash
-   (`wifi-densepose`) but Python imports use underscores (`wifi_densepose`). The v1
-   package shipped under `src.*`, not `wifi_densepose.*`. Is there any tooling that
-   hardcodes the `src` namespace? *Tentative: the `src.*` namespace was specific to
-   `archive/v1/` and is cleanly dropped.*
-
-8. **cibuildwheel version**: the current stable is cibuildwheel v2.x. Does the
-   project's existing GitHub Actions config need updates for maturin builds vs
-   the current `cargo build` / `build.py` patterns? *Tentative: yes, add a separate
-   `pip-release.yml` workflow; do not modify existing Rust CI.*
-
-9. **RuVector bindings timeline**: the `wifi-densepose-ruvector` crate (`v2/crates/`)
-   depends on `ruvector-gnn = "2.0.5"`. Does ruvector-gnn ship as a pre-built static
-   lib or require linking at build time? This directly affects the P6+ wheel size.
-   *Tentative: investigate ruvector-gnn link strategy before committing to a timeline.*
-
-10. **`wifi_densepose.client.ha` conflict with ADR-115/116**: the `ha.py` helper module
-    should not duplicate the ADR-115 MQTT discovery logic in Python. Should it be read-only
-    (parse HA discovery JSON → Python dataclasses) or also write (publish discovery JSON)?
-    *Tentative: read-only for v2.0. Write path deferred to the HACS integration follow-on
-    (ADR-115 §6.A).*
-
-11. **BFLD Rust crate ownership** (added 2026-05-24): the P3.5 BFLD bindings ship with a
-    stub Rust impl in `python/src/bfld_stub.rs`. The proper Rust crate (Nexmon BFR pcap
-    parser + `mac80211` debugfs ingestor) will land later. Should it be a new
-    `wifi-densepose-bfld` workspace member, or should it extend `wifi-densepose-signal`?
-    *Tentative: new dedicated crate. Reasons: (a) the BFR parser is significant code
-    (Wireshark's dissector is ~2k lines) and bloats `-signal`; (b) BFLD ingestion is
-    optional — many deployments will only use CSI; gating behind a separate crate keeps
-    the default `-signal` lean. Decide before committing to the crate name in any
-    `pyproject.toml` extras.*
-
-12. **BFLD per-vendor compressed-angle variants** (added 2026-05-24): 802.11 standardizes
-    the compressed beamforming feedback format but vendors (Broadcom, Intel, Qualcomm,
-    MediaTek) differ in psi/phi quantization step + ordering of consecutive matrix
-    entries. How much normalisation belongs in the Python `BfldFrame.from_compressed_feedback`
-    binding vs. the future Rust crate? *Tentative: Python binding is dumb (numpy ndarray
-    in, numpy ndarray out — no decoding); the future Rust crate owns per-vendor
-    normalisation, exposed via a `Vendor` enum on the binding constructor. Confirm via
-    a per-vendor test fixture before P3.5 ships.*
-
----
-
-## 12. References
-
-### BFLD references (added 2026-05-24 for §5.7a + §11.11 + §11.12)
-
-- Hernandez & Bulut, *"Wi-Fi Sensing With Compressed Beamforming Feedback"*, ACM TOSN 2024 — first systematic survey of BFR-as-sensing
-- Yousefi, Soltanaghaei & Bharadia, *"Just-In-Time Wi-Fi Sensing Using Compressed Beamforming Feedback"*, MobiSys 2023 — practical pipeline for breath + heart-rate extraction from sniffed BFR
-- IEEE 802.11ax-2021 §27.3.10 — Compressed Beamforming Feedback frame format
-- Wireshark BFR dissector — `packet-ieee80211.c` reference implementation
-- AX210 Linux mac80211 debugfs BFR capture path (kernel 6.10+)
-- Sample BFR-vs-CSI parity dataset — TBD; we'll publish one alongside the
-  `wifi-densepose-bfld` crate when it lands
-
-### Original references
-
-- **PyPI package (current)**: https://pypi.org/project/wifi-densepose/ — v1.1.0, released 2025-06-07
-- **PyPI JSON metadata**: https://pypi.org/pypi/wifi-densepose/json
-- **Local source**: `archive/v1/setup.py`, `archive/v1/src/__init__.py`, `archive/v1/data/proof/verify.py`
-- **Rust workspace**: `v2/Cargo.toml`, `v2/crates/wifi-densepose-core/src/lib.rs`,
-  `v2/crates/wifi-densepose-vitals/src/lib.rs`, `v2/crates/wifi-densepose-signal/src/lib.rs`,
-  `v2/crates/wifi-densepose-sensing-server/src/lib.rs`
-- **PyO3 docs**: https://pyo3.rs/ — v0.28.3 stable, Rust ≥1.83 required
-- **maturin docs**: https://maturin.rs/ — supports Python 3.8+ on Linux/macOS/Windows/FreeBSD
-- **cibuildwheel docs**: https://cibuildwheel.pypa.io/
-- **ADR-021**: ESP32 vitals — defines the HR/BR extraction pipeline this ADR exposes in Python
-- **ADR-028**: ESP32 capability audit — defines the witness bundle format `witness/verify.py` must re-verify
-- **ADR-115**: HA-DISCO + HA-MIND + HA-FABRIC — defines the MQTT topic structure the `client/mqtt.py` helper consumes
-- **ADR-116**: HA-COG cog packaging — parallel effort; ADR-117 pip library is the developer-facing Python surface; ADR-116 is the Seed-installable artifact

docs/adr/ADR-118-bfld-beamforming-feedback-layer-for-detection.md

@@ -1,196 +0,0 @@
-# ADR-118: BFLD — Beamforming Feedback Layer for Detection
-
-| Field | Value |
-|-------|-------|
-| **Status** | Proposed |
-| **Date** | 2026-05-24 |
-| **Deciders** | ruv |
-| **Codename** | **BFLD** — Beamforming Feedback Layer for Detection |
-| **Relates to** | [ADR-024](ADR-024-contrastive-csi-embedding-model.md) (AETHER), [ADR-027](ADR-027-cross-environment-domain-generalization.md) (MERIDIAN), [ADR-028](ADR-028-esp32-capability-audit.md) (witness), [ADR-029](ADR-029-ruvsense-multistatic-sensing-mode.md) (multistatic), [ADR-030](ADR-030-ruvsense-persistent-field-model.md) (field model), [ADR-031](ADR-031-ruview-sensing-first-rf-mode.md) (sensing-first), [ADR-032](ADR-032-multistatic-mesh-security-hardening.md) (mesh security), [ADR-095](ADR-095-rvcsi-edge-rf-sensing-platform.md) (rvCSI), [ADR-115](ADR-115-home-assistant-integration.md) (HA), [ADR-116](ADR-116-cog-ha-matter-seed.md) (Matter), [ADR-117](ADR-117-pip-wifi-densepose-modernization.md) (pip) |
-| **Sub-ADRs** | [ADR-119](ADR-119-bfld-frame-format-and-wire-protocol.md) (frame), [ADR-120](ADR-120-bfld-privacy-class-and-hash-rotation.md) (privacy), [ADR-121](ADR-121-bfld-identity-risk-scoring.md) (risk), [ADR-122](ADR-122-bfld-ruview-ha-matter-exposure.md) (RuView), [ADR-123](ADR-123-bfld-capture-path-nexmon-and-esp32.md) (capture) |
-| **Research bundle** | [`docs/research/BFLD/`](../research/BFLD/) (11 files, 13,544 words) |
-| **Companion research** | [`docs/research/soul/`](../research/soul/) — Soul Signature multi-modal biometric. BFLD is the policy-enforcement and compliance layer for Soul Signature; the two share the AETHER encoder (ADR-024), the witness chain (ADR-110/028), the RVF container, and `cross_room.rs` (ADR-030). |
-| **Tracking issue** | TBD |
-
----
-
-## 1. Context
-
-### 1.1 The plaintext BFI problem
-
-IEEE 802.11ac and 802.11ax beamforming feedback (BFI) is exchanged between client stations (STA) and access points (AP) in **unencrypted management-plane frames**. The STA compresses the channel response into a Givens-rotation angle matrix (Φ/ψ) and transmits it as a VHT/HE Compressed Beamforming Report (CBFR). Any device in WiFi monitor mode within range can passively sniff these frames without joining the network.
-
-Two independent 2024–2025 research results establish the severity of this exposure:
-
-1. **BFId** (KIT, ACM CCS 2025) — re-identifies 197 individuals from BFI alone with >90% accuracy from 5 s of capture. https://publikationen.bibliothek.kit.edu/1000185756
-2. **LeakyBeam** (NDSS 2025) — detects occupancy through walls at 20 m with 82.7% TPR / 96.7% TNR using only plaintext BFI. https://www.ndss-symposium.org/wp-content/uploads/2025-5-paper.pdf
-
-Capture tooling is freely available: **Wi-BFI** (pip-installable), **PicoScenes**, **Nexmon BFI patches** for BCM43455c0 (Raspberry Pi 5 / 4 / 3B+).
-
-### 1.2 Gap in the existing RuView pipeline
-
-The wifi-densepose / RuView pipeline processes CSI via the rvCSI runtime (ADR-095/096) and emits presence, pose, vitals, and zone-activity events. **No layer in the existing pipeline measures whether the data it is processing is capable of identifying individuals.** All CSI is treated as equivalent from a privacy standpoint regardless of operating regime.
-
-This gap becomes a compliance and liability issue at deployment scale. An operator placing RuView in a care home, hotel, shared office, or rental property has no instrument to verify that the system is operating anonymously.
-
-### 1.3 BFI as a sensing signal
-
-BFI is not only a threat vector — its compressed angle matrices carry multipath geometry useful for presence and motion detection, particularly in single-AP deployments where MIMO CSI is unavailable. BFLD treats BFI as an **optional input alongside CSI**, not a replacement.
-
-### 1.4 Relationship to the Soul Signature research
-
-The Soul Signature research (`docs/research/soul/`) defines a 7-channel multi-modal biometric for **consent-based** passive re-identification of enrolled individuals. Where Soul Signature *intentionally produces* identity (with a 60-second enrollment protocol), BFLD *measures and gates* identity leakage from the same sensing substrate. The two systems are complementary by design:
-
-| Concern | Soul Signature | BFLD |
-|---------|----------------|------|
-| Intent | Create a biometric for enrolled persons | Measure and gate identity leakage |
-| Consent model | Explicit enrollment, GDPR/HIPAA modes | Default-deny, all unenrolled persons |
-| Operating class | Must run at `privacy_class = 1` (derived) | Defaults to class 2 (anonymous) |
-| Shared assets | AETHER encoder (ADR-024), WitnessChain (ADR-110/028), RVF container, `cross_room.rs` (ADR-030) | Same |
-| ID space | Long-lived opaque `person_id` per enrolled subject | Rotating `rf_signature_hash` per day per unenrolled person |
-
-BFLD becomes Soul Signature's enforcement layer: the `identity_risk_score` gates whether a zone is leaky enough to enroll, the witness bundle is the regulator-facing audit artifact, and the structural privacy invariants (I1/I2/I3) ensure unenrolled bystanders stay anonymous even in zones where Soul Signature is actively matching enrolled persons. See ADR-120 §2.7 and ADR-121 §2.7 for the integration points.
-
-### 1.5 What this ADR is *not*
-
-- Not a removal of the CSI pipeline. ADR-095/096 rvCSI stays authoritative for CSI.
-- Not a port of any external sniffer into the repo. The Nexmon capture path lives in a separate adapter (see ADR-123).
-- Not a Matter SDK ship — Matter exposure is filtered through the ADR-116 `cog-ha-matter` boundary.
-
----
-
-## 2. Decision
-
-Create a new Rust crate **`wifi-densepose-bfld`** in `v2/crates/` that:
-
-1. **Ingests** BFI angle matrices (Φ/ψ) from CBFR frames, optionally fused with CSI.
-2. **Computes** nine named features and an `identity_risk_score` (separability × temporal_stability × cross_perspective_consistency × sample_confidence).
-3. **Gates** all output through a `privacy_class` byte that **structurally prevents** identity-correlated data from being published at classes 2 (anonymous) and 3 (restricted).
-4. **Emits** `BfldEvent` JSON over MQTT under `ruview/<node_id>/bfld/*` with per-class topic routing.
-5. **Enforces three invariants structurally, not by policy**:
-   - **I1**: Raw BFI never exits the node.
-   - **I2**: Identity embedding is in-RAM-only (no disk, no network).
-   - **I3**: Cross-site identity correlation is cryptographically impossible via per-site keyed BLAKE3 hash rotation with a daily epoch.
-
-The umbrella implementation is decomposed into five sub-ADRs:
-
-| Sub-ADR | Scope |
-|---------|-------|
-| **ADR-119** | `BfldFrame` wire format, magic `0xBF1D_0001`, deterministic serialization, CRC32 |
-| **ADR-120** | `privacy_class` semantics, BLAKE3 hash rotation, default-deny field classification |
-| **ADR-121** | Identity risk scoring formula, coherence gate, leakage estimator |
-| **ADR-122** | RuView surface: HA entities, Matter cluster boundary, MQTT topic ACL |
-| **ADR-123** | Capture path: Pi 5 / Nexmon adapter + ESP32-S3 BFI feasibility |
-
-### 2.1 Crate module layout
-
-```
-v2/crates/wifi-densepose-bfld/
-├── Cargo.toml
-└── src/
-    ├── lib.rs
-    ├── frame.rs             # BfldFrame (ADR-119)
-    ├── extractor.rs         # CBFR parser → BfiCapture
-    ├── features.rs          # 9 features
-    ├── identity_risk.rs     # risk score (ADR-121)
-    ├── privacy_gate.rs      # privacy_class enforcement (ADR-120)
-    ├── hash_rotation.rs     # BLAKE3 per-site rotation (ADR-120)
-    ├── emitter.rs           # BfldEvent → MQTT
-    ├── mqtt.rs              # topic routing (ADR-122)
-    └── ffi.rs               # PyO3 bindings (ADR-117 pattern)
-```
-
-### 2.2 Reuse map
-
-| BFLD module | Depends on |
-|---|---|
-| `features.rs` | `wifi-densepose-signal/src/ruvsense/coherence.rs`, `multistatic.rs` |
-| `identity_risk.rs` | `wifi-densepose-ruvector/src/viewpoint/attention.rs`, `coherence.rs` |
-| `privacy_gate.rs` | (new) — no upstream dependency |
-| `hash_rotation.rs` | `blake3 = "1.5"` (keyed mode) |
-| `extractor.rs` | `vendor/rvcsi/crates/rvcsi-adapter-nexmon` (ADR-095/096) |
-
----
-
-## 3. Consequences
-
-### Positive
-
-- First explicit, auditable RF-layer privacy primitive in the wifi-densepose ecosystem.
-- `identity_risk_score` doubles as an anomaly signal (sudden spike → new AP firmware / nearby attacker-grade sniffer / unusual propagation).
-- BFI fusion augments presence/motion in single-AP deployments.
-- Deterministic frame hashes extend the ADR-028 witness-bundle pattern to the new surface.
-- Cross-site isolation is **structural, not policy-dependent** — a stronger guarantee than ACLs.
-
-### Negative
-
-- ESP32-S3 cannot directly capture CBFR via the Espressif WiFi API. Full BFLD pipeline requires a Pi 5 / Nexmon host sniffer (cognitum-v0 available; see ADR-123).
-- `identity_risk_score` calibration requires the KIT BFId dataset (non-commercial research agreement).
-- Estimated effort: ~10.5 engineer-weeks across the six ADRs.
-
-### Neutral
-
-- BFLD does not prevent passive BFI capture by an external attacker (LeakyBeam-class). It only ensures the **node's own output** is non-identifying. Operators must understand this distinction.
-- Daily hash rotation prevents multi-day analytics correlating individual signatures across the day boundary. Acceptable for privacy goals; may surprise analytics use-cases.
-
----
-
-## 4. Alternatives Considered
-
-### Alt 1: Skip BFI entirely (CSI-only)
-
-Rejected because: (a) leaves the identity-leakage gap open for the CSI pipeline; (b) as BFI tooling becomes ubiquitous (Wi-BFI, PicoScenes), the absence of a privacy layer becomes more conspicuous for operators.
-
-### Alt 2: Publish `identity_risk_score` publicly by default
-
-Rejected: the risk score itself is privacy-sensitive (reveals presence via timing correlation). Default is opt-in.
-
-### Alt 3: Cloud ML on raw BFI
-
-Rejected: violates I1. Cloud training creates an off-node store of angle matrices reconstructible into identity profiles.
-
-### Alt 4: Differential privacy noise on BFI at ingress
-
-Deferred to a follow-up ADR. DP sensitivity analysis and its interaction with `identity_risk_score` calibration are not yet complete. Current design achieves privacy through structural impossibility, not noise injection.
-
----
-
-## 5. Acceptance Criteria
-
-- [ ] **AC1**: Extractor parses BFI from 802.11ac and 802.11ax captures, 20/40/80/160 MHz, 2×2 through 4×4 MIMO.
-- [ ] **AC2**: Presence detection latency ≤ 1 s p95 from first non-empty BFI frame.
-- [ ] **AC3**: Motion score published at ≥ 1 Hz on `ruview/<node_id>/bfld/motion/state`.
-- [ ] **AC4**: Raw BFI bytes never present in any serialized `BfldFrame` payload at any `privacy_class` value.
-- [ ] **AC5**: With `privacy_mode` enabled, all identity-derived fields are absent from outbound events.
-- [ ] **AC6**: Identical `BfiCapture` inputs produce bit-identical `BfldFrame` serialization (deterministic hash).
-- [ ] **AC7**: Pipeline produces valid `BfldEvent` outputs without `csi_matrix` (BFI-only mode).
-
-Per-sub-ADR acceptance criteria are defined in ADR-119 through ADR-123.
-
----
-
-## 6. Phased Rollout
-
-| Phase | ADR | Scope | Effort |
-|-------|-----|-------|--------|
-| **P1** | 119 | Frame format + extractor stub | 1.5 wk |
-| **P2** | 121 | Features + identity_risk_score | 2.0 wk |
-| **P3** | 120 | Privacy gate + hash rotation | 1.5 wk |
-| **P4** | 122 (a) | MQTT emitter + HA discovery | 1.5 wk |
-| **P5** | 122 (b) | Matter cluster boundary in `cog-ha-matter` | 1.5 wk |
-| **P6** | 123 | Pi 5 / Nexmon capture adapter | 2.5 wk |
-| **Total** | | | **10.5 wk** |
-
----
-
-## 7. Related ADRs
-
-See header table. Cross-references in body cite the structural reuse of:
-- ADR-024 (AETHER embedding for identity_risk computation)
-- ADR-027 (MERIDIAN's no-cross-site assumption is now structurally enforced by I3)
-- ADR-028 (witness-bundle extends to BFLD surface)
-- ADR-029/030 (`multistatic.rs`, `cross_room.rs` reused)
-- ADR-095/096 (rvCSI Nexmon adapter for BFI capture)
-- ADR-115 (HA surface extension)
-- ADR-116 (`cog-ha-matter` boundary filter)
-- ADR-117 (PyO3 bindings pattern)

docs/adr/ADR-119-bfld-frame-format-and-wire-protocol.md

@@ -1,163 +0,0 @@
-# ADR-119: BFLD Frame Format and Wire Protocol
-
-| Field | Value |
-|-------|-------|
-| **Status** | Proposed |
-| **Date** | 2026-05-24 |
-| **Deciders** | ruv |
-| **Parent** | [ADR-118](ADR-118-bfld-beamforming-feedback-layer-for-detection.md) |
-| **Relates to** | [ADR-028](ADR-028-esp32-capability-audit.md) (witness/deterministic proof), [ADR-095](ADR-095-rvcsi-edge-rf-sensing-platform.md) (rvCSI `CsiFrame` schema) |
-| **Tracking issue** | TBD |
-
----
-
-## 1. Context
-
-The BFLD pipeline (ADR-118) emits an over-the-wire `BfldFrame` consumed by the RuView aggregator, HA bridge, and witness bundle. The frame must be:
-
-1. **Deterministic** — identical input ⇒ bit-identical output, so witness hashes survive verification (ADR-028 pattern).
-2. **Self-describing** — magic + version so future BFLD revisions don't silently corrupt aggregator state.
-3. **Privacy-classified at the byte level** — the receiver must know the data class before it even parses the payload, so it can drop frames it isn't authorized to handle.
-4. **Compact** — BFLD nodes may emit at up to 10 Hz; the frame must be small enough for unsharded MQTT and ESP-NOW transport.
-5. **Endianness-stable** — captures from x86_64 (ruvultra), aarch64 (cognitum-v0, Pi 5 cluster), and Xtensa (ESP32-S3) must produce identical bytes.
-
-The existing rvCSI `CsiFrame` (ADR-095) is the closest precedent. BFLD reuses the same little-endian convention and the same "validate-before-FFI" posture.
-
----
-
-## 2. Decision
-
-### 2.1 `BfldFrame` header (40 bytes, little-endian, packed)
-
-```rust
-#[repr(C, packed)]
-pub struct BfldFrameHeader {
-    pub magic: u32,              // 0xBF1D_0001
-    pub version: u16,            // 1
-    pub flags: u16,              // bit0=has_csi_delta, bit1=privacy_mode, bit2-15 reserved
-    pub timestamp_ns: u64,       // monotonic capture clock
-
-    pub ap_hash: [u8; 16],       // BLAKE3-keyed(site_salt, ap_mac)[0..16]
-    pub sta_hash: [u8; 16],      // BLAKE3-keyed(site_salt ‖ day_epoch, sta_mac)[0..16]
-    pub session_id: [u8; 16],    // ephemeral, rotated on capture-session boundary
-
-    pub channel: u16,            // 802.11 channel number
-    pub bandwidth_mhz: u16,      // 20 | 40 | 80 | 160
-    pub rssi_dbm: i16,
-    pub noise_floor_dbm: i16,
-
-    pub n_subcarriers: u16,
-    pub n_tx: u8,
-    pub n_rx: u8,
-    pub quantization: u8,        // 0=f32, 1=i16, 2=i8, 3=packed (4-bit nibbles)
-    pub privacy_class: u8,       // 0=raw, 1=derived, 2=anonymous, 3=restricted (default 2)
-
-    pub payload_len: u32,
-    pub payload_crc32: u32,      // CRC-32/ISO-HDLC over payload bytes only
-}
-```
-
-Total header size: **86 bytes packed** (validated by `static_assertions::const_assert_eq!` in `wifi-densepose-bfld/src/frame.rs`). Earlier drafts stated 40 bytes — that was a counting error caught during P1 scaffold; see AC1 below.
-
-### 2.2 Payload structure
-
-Payload is a length-prefixed sequence of typed sections in this exact order:
-
-```
-payload = compressed_angle_matrix
-        ‖ amplitude_proxy
-        ‖ phase_proxy
-        ‖ snr_vector
-        ‖ optional_csi_delta            (present iff flags.bit0 set)
-        ‖ optional_vendor_extension     (length 0 allowed)
-```
-
-Each section is `[u32 len_le][bytes...]`. The CRC32 covers all section bytes including length prefixes, but **not** the header.
-
-### 2.3 Privacy-class gating at serialization
-
-The serializer enforces these rules **before** writing any payload bytes:
-
-| `privacy_class` | `compressed_angle_matrix` | Identity-derived fields | Notes |
-|-----------------|---------------------------|-------------------------|-------|
-| 0 (`raw`) | full | full | **Local-only**, never serialized to a network sink |
-| 1 (`derived`) | downsampled to 8-bit, top-k subcarriers | full | Operator-acknowledged research mode |
-| 2 (`anonymous`, **default**) | absent (zero-length section) | absent | Production default |
-| 3 (`restricted`) | absent | absent + diagnostic-only | Equivalent to class 2 + suppresses `identity_risk_score` on the bus |
-
-The serializer returns `Err(BfldError::PrivacyViolation)` if the caller attempts to publish a class-0 frame through a network sink. This is enforced by a sink-type marker trait (`LocalSink` vs `NetworkSink`).
-
-### 2.4 Deterministic serialization
-
-Three guarantees:
-
-1. **Field order is fixed** by `#[repr(C, packed)]`.
-2. **Float quantization is canonical** — `quantization` byte values 1/2/3 use specified round-half-to-even with documented saturation; f32 (value 0) is forbidden over the wire (local-only).
-3. **CRC32 is computed last**, after all section bytes are placed.
-
-The witness test in `tests/determinism.rs` captures a 200-frame BFI fixture, serializes it 1,000 times across two threads, and verifies the BLAKE3 of the resulting byte stream is bit-identical.
-
-### 2.5 Magic value rationale
-
-`0xBF1D_0001` is chosen so that `bf1d` reads as "BFLD" in hex-dump output, easing wireshark / xxd debugging. The final `0001` is the major version; minor revisions bump `version` field.
-
----
-
-## 3. Consequences
-
-### Positive
-
-- 40-byte header + compact payload fits comfortably in a 1500-byte MTU even at 4×4 MIMO with 256 subcarriers.
-- Serialization is `#[no_std]` compatible — same code can run on ESP32-S3 (when ESP-NOW transport is added under ADR-123 P2).
-- Witness-bundle integration is direct: the existing `archive/v1/data/proof/verify.py` pattern extends to a `bfld_verify.py` that consumes the same SHA-256 expected-hash file format.
-
-### Negative
-
-- `#[repr(C, packed)]` on the header means consumers must use `read_unaligned` — small ergonomic cost, mitigated by a `#[derive(BfldFrameAccess)]` proc-macro.
-- Reserved flag bits 2-15 lock in future-extension order; any new bit assignment is a version bump.
-
-### Neutral
-
-- The vendor-extension section allows downstream RuView cogs (e.g., `cog-pose-estimation`) to attach metadata without a header change, at the cost of CRC scope creep. Vendor sections are explicitly outside the witness hash.
-
----
-
-## 4. Alternatives Considered
-
-### Alt 1: Protobuf / FlatBuffers
-
-Rejected: schema evolution overhead, witness-hash instability across protoc versions, ~3× wire bloat for the small fixed-shape fields.
-
-### Alt 2: CBOR
-
-Rejected: deterministic CBOR (RFC 8949 §4.2) is achievable but the parser surface is large and tag handling is a footgun for the `no_std` ESP32 path.
-
-### Alt 3: Variable-width magic / no magic
-
-Rejected: receivers must distinguish BFLD frames from rvCSI `CsiFrame` and other RuView payloads on shared transports.
-
-### Alt 4: Move CRC32 to header
-
-Rejected: CRC must be computed after the payload, so its value would otherwise force a header rewrite; placing it last avoids a buffer-pass-back.
-
----
-
-## 5. Acceptance Criteria
-
-- [ ] **AC1**: `BfldFrameHeader` size is exactly **86 bytes** (packed) on x86_64, aarch64, and xtensa-esp32s3. The size was initially documented as 40 bytes during ADR drafting — that was a counting error; the implementation in `wifi-densepose-bfld/src/frame.rs` enforces the correct value via `const_assert_eq!`.
-- [ ] **AC2**: 1,000 serializations of a fixed `BfiCapture` fixture produce a bit-identical BLAKE3 hash.
-- [ ] **AC3**: `privacy_class = 0` frame returned through `NetworkSink::publish()` returns `Err(BfldError::PrivacyViolation)`.
-- [ ] **AC4**: Payload CRC32 mismatch causes `BfldFrame::parse()` to return `Err(BfldError::Crc)` without exposing partial payload state.
-- [ ] **AC5**: Round-trip serialize/parse preserves all header fields exactly.
-- [ ] **AC6**: A frame with `flags.bit0 = 0` (no CSI delta) and an unexpected CSI-delta section is rejected.
-- [ ] **AC7**: Bench: serialization throughput ≥ 50k frames/sec on a 2025-era M1/M2 / Pi 5 core.
-
----
-
-## 6. References
-
-- ADR-118 §2 (umbrella decision)
-- ADR-095 `CsiFrame` (`vendor/rvcsi/crates/rvcsi-core/src/frame.rs`)
-- CRC-32/ISO-HDLC: `crc = "3"` crate
-- BLAKE3 keyed mode: `blake3 = "1.5"`
-- IEEE 802.11-2020 §19.3.12 (Compressed Beamforming Report)

docs/adr/ADR-120-bfld-privacy-class-and-hash-rotation.md

@@ -1,192 +0,0 @@
-# ADR-120: BFLD Privacy Class and Hash Rotation
-
-| Field | Value |
-|-------|-------|
-| **Status** | Proposed |
-| **Date** | 2026-05-24 |
-| **Deciders** | ruv |
-| **Parent** | [ADR-118](ADR-118-bfld-beamforming-feedback-layer-for-detection.md) |
-| **Relates to** | [ADR-027](ADR-027-cross-environment-domain-generalization.md) (MERIDIAN no-cross-site), [ADR-032](ADR-032-multistatic-mesh-security-hardening.md) (mesh security), [ADR-106](ADR-106-dp-sgd-and-primitive-isolation.md) (primitive isolation), [ADR-115](ADR-115-home-assistant-integration.md) (privacy mode) |
-| **Companion research** | [`docs/research/soul/`](../research/soul/) — Soul Signature operates at `privacy_class = 1` (derived). §2.7 defines the dual-ID-space contract. |
-| **Tracking issue** | TBD |
-
----
-
-## 1. Context
-
-ADR-118 declares three structural invariants for BFLD:
-
-- **I1**: Raw BFI never exits the node.
-- **I2**: Identity embedding is in-RAM-only.
-- **I3**: Cross-site identity correlation is cryptographically impossible.
-
-I1/I2 are enforced by sink typing and module visibility (ADR-119 §2.3). I3 requires a hash-rotation scheme that makes the same physical person produce **different** `rf_signature_hash` values across sites and across day boundaries, without any out-of-band coordination between sites.
-
-The existing `HA-PRIVACY` mode in ADR-115 already toggles between "full" and "anonymous" surfaces, but at a per-event granularity — not at a per-byte-field granularity. BFLD requires the latter because the `BfldFrame` payload mixes sensing data (publishable) and identity-derived data (non-publishable) in the same struct.
-
-The BFId paper (KIT, ACM CCS 2025) demonstrates that even a few minutes of BFI capture across the same site is sufficient to build a persistent biometric. The mitigation must be **structural**, not policy-dependent.
-
----
-
-## 2. Decision
-
-### 2.1 The four privacy classes
-
-A single `privacy_class: u8` byte in the `BfldFrame` header (ADR-119 §2.1) selects one of four classes. The crate enforces field availability statically through marker types.
-
-| Class | Name | Use case | Available fields |
-|-------|------|----------|------------------|
-| **0** | `raw` | Local-only research, never networked | All fields, full-precision BFI matrix, identity embedding |
-| **1** | `derived` | Operator-acknowledged research over LAN | Downsampled angle matrix, full features, identity_risk_score, identity_embedding |
-| **2** | `anonymous` (**default**) | Production deployment | Aggregate sensing only: presence, motion, person_count, zone_id, confidence |
-| **3** | `restricted` | Care-home / regulated deployment | Class 2 minus `identity_risk_score` and `rf_signature_hash` |
-
-Default for new RuView nodes is class **2**. Operators must explicitly opt-down to class 1 via the existing `--research-mode` flag (ADR-115 §7); class 0 is reserved for `cargo test` and is unreachable from `wifi-densepose-sensing-server`.
-
-### 2.2 Enforcement via marker types
-
-```rust
-pub trait Sink {}
-
-pub trait LocalSink: Sink {}     // Allowed: classes 0,1,2,3
-pub trait NetworkSink: Sink {}   // Allowed: classes 1,2,3 (NOT class 0)
-pub trait MatterSink: NetworkSink {}  // Allowed: class 2,3 + cluster-filter (ADR-122)
-
-impl Emitter {
-    pub fn publish<S: NetworkSink>(&self, sink: &S, frame: BfldFrame)
-        -> Result<(), BfldError>
-    {
-        if frame.header.privacy_class == 0 {
-            return Err(BfldError::PrivacyViolation {
-                reason: "class 0 to NetworkSink",
-            });
-        }
-        // ... serialize and write
-    }
-}
-```
-
-The compiler refuses to call `publish` on a sink that doesn't impl `NetworkSink` with a class-0 frame because the runtime check is paired with a sink-marker check. Cross-sink frame routing requires an explicit class transition (see §2.4).
-
-### 2.3 BLAKE3 keyed hash rotation for `rf_signature_hash`
-
-The signature hash is computed as:
-
-```rust
-pub fn rf_signature_hash(
-    site_salt: &[u8; 32],       // generated on first boot, persisted in TPM/KMS
-    day_epoch: u32,             // floor(unix_time_utc / 86400)
-    features: &IdentityFeatures,
-) -> Hash {
-    let mut hasher = blake3::Hasher::new_keyed(site_salt);
-    hasher.update(&day_epoch.to_le_bytes());
-    hasher.update(&features.canonical_bytes());
-    hasher.finalize()
-}
-```
-
-**Structural cross-site isolation**: because `site_salt` is a 256-bit random secret unique to each node and never transmitted, two sites observing the same physical person produce uncorrelated hashes. There is no key the operator (or an attacker who compromises one node) can use to bridge sites. This is stronger than a policy-based "do not share" rule because the bridge **cannot be computed**.
-
-**Daily rotation**: `day_epoch` flipping at UTC midnight forces the hash of the same person to change once per day. Multi-day correlation requires re-acquiring the biometric, which the rotation actively breaks.
-
-### 2.4 Class-transition transformer
-
-The only way a high-class frame becomes a lower-class frame is through `PrivacyGate::demote(frame, target_class)`. This function:
-
-1. Asserts the target class is strictly higher number than (or equal to) the input class.
-2. Zeroes the disallowed fields with `subtle::Zeroize`.
-3. Re-computes `payload_crc32`.
-4. Returns the new frame.
-
-There is no `promote` operation — a class-2 frame cannot be turned back into a class-1 frame, because the dropped fields were not retained anywhere reachable from the gate.
-
-### 2.5 `identity_embedding` lifecycle
-
-The embedding (output of the AETHER encoder, ADR-024) is held in a `subtle::Zeroizing<[f32; 128]>` ring buffer of 64 entries (≈30 KB). Entries are:
-
-1. Written by the encoder on each capture window.
-2. Consumed by `identity_risk_score` computation (ADR-121).
-3. **Never** written to disk, MQTT, or any other I/O sink — there is no `Serialize` impl on the type.
-4. Overwritten by the ring (FIFO).
-
-A compile-time `#[forbid(serde::Serialize)]` lint on `IdentityEmbedding` ensures a future PR cannot accidentally add a `Serialize` derive.
-
-### 2.6 Default-deny field classification
-
-Every new field added to `BfldFrame` or `BfldEvent` must be tagged with `#[must_classify]` (a custom attribute macro). The macro fails compilation if the field is not listed in the per-class allow-list table. This forces future contributors to make an explicit privacy decision on every new field.
-
-### 2.7 Dual-ID-space contract for Soul Signature deployments
-
-Soul Signature (`docs/research/soul/`) is a consent-based biometric system that *intentionally* produces long-lived per-person identity. It cannot operate at the default class 2 — the identity_embedding it needs is structurally absent there. The contract:
-
-| Deployment mode | `privacy_class` | ID space for unenrolled bystanders | ID space for enrolled persons |
-|---|---|---|---|
-| Default BFLD-only | 2 (anonymous) | Daily-rotated `rf_signature_hash` | n/a — no enrollment |
-| Soul Signature opt-in | **1 (derived)** | Daily-rotated `rf_signature_hash` (unchanged) | Long-lived opaque `person_id` from Soul Signature graph |
-| Restricted / care-home | 3 (restricted) | Suppressed | n/a — Soul Signature **disabled** at class 3 |
-
-Two ID spaces coexist with **no collision**: the rotating hash is the privacy-preserving identifier for everyone *not* on the consent roster; the stable `person_id` is reserved for enrolled subjects under their own GDPR/HIPAA mode. Soul Signature's `match_against_enrolled()` function consumes only the in-RAM `identity_embedding` (I2 still holds) and emits a `person_id` plus a calibrated similarity score; it never writes the embedding to disk or the wire. The class-1 requirement is enforced statically: the Soul Signature match API takes a `&IdentityEmbedding` parameter, which is only constructible when the BFLD crate is compiled with `--features soul-signature` against a class-1 frame.
-
----
-
-## 3. Consequences
-
-### Positive
-
-- Cross-site identity correlation is **computationally impossible**, not merely "prohibited by policy". This is the strongest form of privacy guarantee available without a TEE.
-- Default-deny via `#[must_classify]` prevents the common pattern of "a new field shipped, then six months later we noticed it was identity-leaky".
-- `identity_embedding` cannot be serialized by accident — the type system carries the constraint.
-- The class transition transformer makes the data lifecycle explicit and auditable.
-
-### Negative
-
-- `site_salt` storage requires either a TPM (ADR-095/096 rvCSI platform feature gap) or a secrets file with strict mode. Loss of `site_salt` makes historical witness comparisons impossible — by design, but a documentation hazard.
-- `#[must_classify]` is a custom proc-macro; another moving part in the build.
-- Operators wanting multi-day analytics must work in aggregates only, not on per-individual signatures.
-
-### Neutral
-
-- Class 0 is `cargo test`-only. Some CI runners may need an explicit feature flag to compile class-0 paths.
-
----
-
-## 4. Alternatives Considered
-
-### Alt 1: Single boolean `privacy_mode` flag (status quo from ADR-115)
-
-Rejected: insufficient granularity. The frame mixes publishable sensing with non-publishable identity, so the gate must operate at field-level, not event-level.
-
-### Alt 2: SHA-256 instead of BLAKE3
-
-Rejected: BLAKE3 keyed-hash mode is ~5× faster on the ESP32-S3 / Cortex-M cores and the security margin is equivalent for this use case. SHA-256 has no keyed-hash mode (HMAC-SHA256 is the alternative; works but is slower).
-
-### Alt 3: Hash rotation on the hour, not the day
-
-Rejected: hourly rotation breaks legitimate "person was here in the morning, came back in the afternoon" use-cases that operators may want. Day boundary is the compromise.
-
-### Alt 4: Per-event nonces instead of daily epoch
-
-Rejected: per-event nonces would force the consumer to track which events came from the same person within a session, which leaks identity information by structure. The day epoch preserves a coarse temporal grouping without leaking finer-grained identity.
-
----
-
-## 5. Acceptance Criteria
-
-- [ ] **AC1**: Calling `Emitter::publish` with a `privacy_class = 0` frame on a `NetworkSink` returns `BfldError::PrivacyViolation`.
-- [ ] **AC2**: Two BFLD nodes with different `site_salt` values observing the same simulated person produce `rf_signature_hash` values whose Hamming distance is ≥ 120 bits over 100 trials (statistical isolation test).
-- [ ] **AC3**: A frame with `privacy_class = 3` has both `identity_risk_score` and `rf_signature_hash` absent from the serialized payload.
-- [ ] **AC4**: `PrivacyGate::demote(class_1_frame, target=0)` fails to compile (compile-fail test).
-- [ ] **AC5**: A PR adding a new field to `BfldEvent` without `#[must_classify]` fails the build.
-- [ ] **AC6**: `IdentityEmbedding` has no `Serialize` impl reachable from any public function.
-- [ ] **AC7**: Dropping an `IdentityEmbedding` value zeroizes its memory (verified by a debugger-readable test under `cargo test --features zeroize-validation`).
-
----
-
-## 6. References
-
-- ADR-118 (umbrella)
-- ADR-119 (frame format; `privacy_class` byte location)
-- KIT BFId (ACM CCS 2025): https://publikationen.bibliothek.kit.edu/1000185756
-- NDSS LeakyBeam (2025): https://www.ndss-symposium.org/wp-content/uploads/2025-5-paper.pdf
-- BLAKE3 keyed-hash: https://github.com/BLAKE3-team/BLAKE3
-- `subtle::Zeroize` for memory hygiene

docs/adr/ADR-121-bfld-identity-risk-scoring.md

@@ -1,182 +0,0 @@
-# ADR-121: BFLD Identity Risk Scoring and Coherence Gate
-
-| Field | Value |
-|-------|-------|
-| **Status** | Proposed |
-| **Date** | 2026-05-24 |
-| **Deciders** | ruv |
-| **Parent** | [ADR-118](ADR-118-bfld-beamforming-feedback-layer-for-detection.md) |
-| **Relates to** | [ADR-024](ADR-024-contrastive-csi-embedding-model.md) (AETHER), [ADR-027](ADR-027-cross-environment-domain-generalization.md) (MERIDIAN), [ADR-029](ADR-029-ruvsense-multistatic-sensing-mode.md) (multistatic fusion), [ADR-086](ADR-086-edge-novelty-gate.md) (novelty gate precedent), [ADR-120](ADR-120-bfld-privacy-class-and-hash-rotation.md) (privacy class) |
-| **Companion research** | [`docs/research/soul/`](../research/soul/) — risk score doubles as Soul Signature enrollment-quality signal; §2.7 defines the Recalibrate exemption. |
-| **Tracking issue** | TBD |
-
----
-
-## 1. Context
-
-BFLD's distinguishing primitive is the `identity_risk_score` — a scalar that says **"is this capture window currently capable of identifying a specific person?"**. The score has two consumers:
-
-1. **The operator** — exposed as an HA diagnostic sensor (ADR-122). A spike from the long-term baseline indicates the RF environment has shifted toward a higher-leakage regime (new AP firmware, denser MIMO, attacker-grade sniffer in range).
-2. **The privacy gate** (ADR-120) — when the score crosses a configurable threshold, the gate downgrades the active `privacy_class` automatically (e.g., 2 → 3) until the score recovers.
-
-The score must be:
-- **Bounded** in `[0, 1]` for HA gauge entities.
-- **Calibrated** against actual re-ID success rate, ideally on the KIT BFId dataset.
-- **Computable on-device** at ≥ 1 Hz on a Pi 5 core or an aarch64 cognitum-v0.
-- **Stable** — small environmental changes should not produce wild swings; the score is for slow-moving regime detection, not per-frame chatter.
-
-ADR-086 (edge novelty gate) establishes a precedent for an on-device gate primitive. BFLD's risk scoring borrows the gate-pattern but with identity leakage as the trigger condition.
-
----
-
-## 2. Decision
-
-### 2.1 Nine features (from BFLD spec §5)
-
-The features are computed over a sliding window of `W = 32` BFI frames (≈3 s at 10 Hz):
-
-| Feature | Definition | Source |
-|---------|------------|--------|
-| `mean_angle_delta` | mean( ‖ Φ_t − Φ_{t-1} ‖ over subcarriers ) | extractor |
-| `subcarrier_variance` | var( ‖ Φ ‖ over subcarrier axis ) | extractor |
-| `temporal_entropy` | Shannon entropy of angle-bin histogram over W | extractor |
-| `doppler_proxy` | FFT peak magnitude of mean-angle time series | features.rs |
-| `path_stability` | 1 − ‖ Φ_t − median(Φ_{t-W..t}) ‖ / scale | features.rs |
-| `cross_antenna_correlation` | mean Pearson correlation across n_tx × n_rx pairs | features.rs |
-| `burst_motion_score` | high-pass-filtered angular velocity, soft-thresholded | features.rs |
-| `stationarity_score` | 1 − rolling KL divergence over W/2 vs W | features.rs |
-| `identity_separability_score` | top-1 cosine to nearest AETHER cluster centroid | identity_risk.rs |
-
-The first eight are sensing features (also used by the presence/motion pipeline). Only the ninth depends on the AETHER embedding and therefore on `identity_class >= 1`.
-
-### 2.2 Identity risk formula
-
-```rust
-pub fn identity_risk_score(
-    sep: f32,    // identity_separability_score, [0, 1]
-    stab: f32,   // temporal_stability, [0, 1] = ema(path_stability, alpha=0.1)
-    consist: f32,// cross_perspective_consistency, [0, 1] = multistatic.rs
-    conf: f32,   // sample_confidence, [0, 1] = f(SNR, n_subcarriers, n_rx)
-) -> f32 {
-    // Clamp inputs, then multiplicative combination — any factor near 0 dominates.
-    let s = sep.clamp(0.0, 1.0);
-    let t = stab.clamp(0.0, 1.0);
-    let p = consist.clamp(0.0, 1.0);
-    let c = conf.clamp(0.0, 1.0);
-    (s * t * p * c).clamp(0.0, 1.0)
-}
-```
-
-Multiplicative combination is chosen so that **any** weak factor (e.g., very low SNR ⇒ low `conf`) collapses the score toward 0. This matches the privacy intent: when the system is uncertain, the score should be low and the operator should not be alarmed.
-
-### 2.3 Calibration target
-
-The score is calibrated against re-ID success rate on a held-out test split of the KIT BFId dataset. A piecewise-linear isotonic regression maps raw scores into a calibrated `[0, 1]` band where `score ≥ 0.8` corresponds to `>80%` re-ID accuracy on a 5-second window in the calibration dataset.
-
-Calibration parameters live in `v2/crates/wifi-densepose-bfld/data/risk_calibration.toml` and are versioned independently of the code. A regression update is a content-only PR.
-
-### 2.4 Coherence gate
-
-The coherence gate (per ADR-029 `coherence_gate.rs` pattern) consumes the risk score and emits one of four actions:
-
-```rust
-pub enum GateAction {
-    Accept,           // score < 0.5, publish normally
-    PredictOnly,      // 0.5 <= score < 0.7, publish but flag confidence
-    Reject,           // 0.7 <= score < 0.9, drop the event
-    Recalibrate,      // score >= 0.9, drop AND rotate site_salt
-}
-```
-
-The `Recalibrate` action triggers a forced site-salt rotation — an aggressive response to a sustained high-risk regime. It costs the operator continuity of long-term aggregate analytics but is the right answer to an attacker-grade sniffer arriving in range.
-
-### 2.5 Hysteresis
-
-To prevent oscillation around the gate thresholds, the gate uses ±0.05 hysteresis and a 5-second debounce. A score must cross the boundary by the hysteresis margin and persist for the debounce window before the gate action changes.
-
-### 2.6 Soul Signature interaction — Recalibrate exemption and enrollment-quality gate
-
-Soul Signature (`docs/research/soul/`) intentionally exists in a high-separability regime — the whole point of its 60-second enrollment protocol is to push `identity_separability_score` toward 1.0. The default coherence gate (§2.4) would therefore fire `Recalibrate` constantly inside Soul Signature zones, rotating `site_salt` every few seconds and breaking enrollment.
-
-Two integrations resolve this:
-
-1. **Recalibrate exemption.** When the gate is about to fire `Recalibrate`, it consults a `SoulMatchOracle` (provided by the Soul Signature crate when compiled with `--features soul-signature`). If the oracle reports that the current high-separability cluster matches an enrolled `person_id` above the Soul Signature acceptance threshold, the gate downgrades to `PredictOnly` instead. The high score is the *intended* outcome of a successful match, not an attack indicator. Without the `soul-signature` feature, the oracle is a no-op stub returning `MatchOutcome::NotEnrolled`, so the gate behaves exactly per §2.4.
-
-2. **Enrollment-quality gate.** Soul Signature's enrollment protocol (`scanning-process.md` §3) requires that the sensing zone meet a minimum identity-leakage regime — too low, and the resulting signature is unreliable. The BFLD `identity_risk_score` is exactly the right signal. Soul Signature gates enrollment on `score >= ENROLL_MIN` (default `0.65`) sustained over the 60-second window. If the score drops below threshold mid-enrollment, the protocol aborts and the operator is prompted to re-attempt in better RF conditions.
-
-The exemption is asymmetric: it suppresses `Recalibrate` only for known-enrolled matches. Unknown high-separability clusters (a real attacker-grade sniffer, or an unenrolled person whose identity is unexpectedly leaky) still trigger `Recalibrate` as designed.
-
-### 2.7 Compute budget
-
-| Stage | Target latency | Implementation |
-|-------|----------------|----------------|
-| Feature extraction (8 features) | < 3 ms per window | ndarray + nalgebra; vectorized over subcarriers |
-| Separability (cosine to centroids) | < 5 ms per window | RuVector RaBitQ index (ADR-085) over ≤ 1k centroids |
-| Risk score | < 0.1 ms | scalar multiplicative |
-| Gate decision + hysteresis | < 0.1 ms | scalar |
-
-Total p95 ≤ 10 ms per window on a Pi 5 core (8 ms target). Headroom on cognitum-v0 (Pi 5 + Hailo) is ample; ESP32-S3 hosts only the extraction stage (features computed; risk score is host-side per ADR-123). The `SoulMatchOracle` lookup (§2.6) adds < 1 ms when the `soul-signature` feature is enabled (RaBitQ index over enrolled centroids).
-
----
-
-## 3. Consequences
-
-### Positive
-
-- The risk score becomes a first-class diagnostic surface for operators and a structural input to the privacy gate — both consumers from a single computation.
-- Multiplicative combination is conservative under uncertainty; the system is biased toward "report low risk when unsure", which is the right default.
-- Calibration is a content-only update — no recompile needed when the calibration file changes.
-- The recalibration gate action gives the system a self-healing response to a sniffer arrival without operator intervention.
-
-### Negative
-
-- Calibration requires the KIT BFId dataset; without it the score is uncalibrated and serves only as an internal trigger, not a publishable signal.
-- Multiplicative scoring can be dominated by `sample_confidence`, which is sensitive to channel conditions. A persistent low-SNR environment will keep the published score near 0 even when the underlying separability is high — an under-reporting failure mode that the documentation must call out.
-- The recalibrate action breaks historical hash continuity by design; an operator who wants long-term aggregates needs to know they will see a discontinuity on recalibrate events.
-
-### Neutral
-
-- The nine features overlap with the existing CSI pipeline. BFLD computes them on BFI; the CSI pipeline computes them on CSI. Both can be fused via `cross_perspective_consistency`.
-
----
-
-## 4. Alternatives Considered
-
-### Alt 1: Additive scoring (`(s + t + p + c) / 4`)
-
-Rejected: a sample with high separability but very low confidence would still produce a moderate score, which over-reports risk in degraded RF conditions.
-
-### Alt 2: Maximum scoring (`max(s, t, p, c)`)
-
-Rejected: over-reports risk because any single high factor pins the output, even if the others contradict it.
-
-### Alt 3: Learned scoring (a small MLP)
-
-Rejected for this ADR: introduces an opaque model whose output cannot be audited from first principles. The multiplicative formula is simple, conservative, and directly explainable to operators. A learned model is a future option once enough calibration data is in hand.
-
-### Alt 4: Per-feature thresholds instead of a continuous score
-
-Rejected: continuous score is needed for the HA gauge entity and for downstream calibration. Per-feature thresholds would force operators to interpret nine separate binaries.
-
----
-
-## 5. Acceptance Criteria
-
-- [ ] **AC1**: All nine features are computed in `< 8 ms` p95 per window on a Pi 5 core.
-- [ ] **AC2**: `identity_risk_score` is monotonic non-decreasing in any single input when the other three are held constant.
-- [ ] **AC3**: Calibration regression on the KIT BFId test split: `score ≥ 0.8` corresponds to ≥ 80% re-ID accuracy ± 5%.
-- [ ] **AC4**: The coherence gate emits `Recalibrate` if score is ≥ 0.9 for ≥ 5 seconds.
-- [ ] **AC5**: Hysteresis prevents action oscillation across ± 0.05 of a threshold within a 5-second window.
-- [ ] **AC6**: At `privacy_class = 3`, the risk score is computed but not published to MQTT (kept local for the gate only).
-- [ ] **AC7**: A reproducible 1,000-frame synthetic fixture produces a deterministic score sequence (bit-identical across runs).
-
----
-
-## 6. References
-
-- ADR-118 (umbrella)
-- ADR-024 (AETHER encoder for separability)
-- ADR-029 (`coherence_gate.rs` precedent)
-- ADR-086 (edge novelty gate pattern)
-- ADR-120 §2.4 (class transition consumed by gate)
-- KIT BFId dataset: https://publikationen.bibliothek.kit.edu/1000185756

docs/adr/ADR-122-bfld-ruview-ha-matter-exposure.md

@@ -1,210 +0,0 @@
-# ADR-122: BFLD RuView Surface — Home Assistant, Matter, MQTT Exposure
-
-| Field | Value |
-|-------|-------|
-| **Status** | Proposed |
-| **Date** | 2026-05-24 |
-| **Deciders** | ruv |
-| **Parent** | [ADR-118](ADR-118-bfld-beamforming-feedback-layer-for-detection.md) |
-| **Relates to** | [ADR-031](ADR-031-ruview-sensing-first-rf-mode.md) (sensing-first), [ADR-100](ADR-100-cog-packaging-specification.md) (cog packaging), [ADR-115](ADR-115-home-assistant-integration.md) (HA-DISCO + HA-MIND), [ADR-116](ADR-116-cog-ha-matter-seed.md) (Matter cog), [ADR-120](ADR-120-bfld-privacy-class-and-hash-rotation.md) (privacy class) |
-| **Companion research** | [`docs/research/soul/`](../research/soul/) — Soul Signature deployments expose enrolled-match diagnostics only over HA, never Matter. See §2.7. |
-| **Tracking issue** | TBD |
-
----
-
-## 1. Context
-
-ADR-115 shipped the RuView Home Assistant surface (21 entities, MQTT auto-discovery, mTLS, privacy mode) on the `wifi-densepose-sensing-server` Rust binary. ADR-116 is packaging this as the `cog-ha-matter` Cognitum Seed cog. BFLD must integrate into this surface without expanding the privacy-sensitive footprint already in production.
-
-The integration must:
-
-1. **Extend HA-DISCO** to advertise BFLD entities via the existing MQTT-discovery scheme.
-2. **Reject identity fields at the Matter boundary** — Matter exposes occupancy/motion/people-count only, never `identity_risk_score` or `rf_signature_hash`.
-3. **Route MQTT topics by privacy class** — class-2/3 events on the public topic tree, class-1 events on a gated `research/` subtree, class-0 events nowhere.
-4. **Federate cleanly into cognitum-v0** — BFLD events from multiple nodes flow through `cognitum-rvf-agent` (port 9004 per CLAUDE.local.md) for cross-node analytics, but identity-derived fields are stripped at the **publishing-node boundary**, not at the federation hub.
-
----
-
-## 2. Decision
-
-### 2.1 HA entity surface (six new entities per node)
-
-The cog republishes the existing 21 ADR-115 entities and adds:
-
-| Entity ID | Type | Source field | Class gate | Diagnostic |
-|-----------|------|--------------|------------|------------|
-| `binary_sensor.<node>_bfld_presence` | occupancy | `BfldEvent.presence` | ≥ 2 | no |
-| `sensor.<node>_bfld_motion` | gauge `[0,1]` | `BfldEvent.motion` | ≥ 2 | no |
-| `sensor.<node>_bfld_person_count` | int | `BfldEvent.person_count` | ≥ 2 | no |
-| `sensor.<node>_bfld_zone_activity` | enum | `BfldEvent.zone_activity` | ≥ 2 | no |
-| `sensor.<node>_bfld_identity_risk` | gauge `[0,1]` | `BfldEvent.identity_risk_score` | == 2 only | **yes** |
-| `sensor.<node>_bfld_confidence` | gauge `[0,1]` | `BfldEvent.confidence` | ≥ 2 | yes |
-
-The `identity_risk` entity is exposed only under privacy class 2 and is flagged `entity_category: diagnostic` so HA dashboards do not promote it to a main-card sensor by default. Under class 3 it is computed but not published (per ADR-121 §2.4).
-
-MQTT discovery payload follows the ADR-115 schema, plus a `bfld_version` attribute matching the `BfldFrameHeader::version` field.
-
-### 2.2 MQTT topic tree
-
-```
-ruview/<node_id>/bfld/presence/state              # class >= 2
-ruview/<node_id>/bfld/motion/state                # class >= 2
-ruview/<node_id>/bfld/person_count/state          # class >= 2
-ruview/<node_id>/bfld/zone_activity/state         # class >= 2
-ruview/<node_id>/bfld/confidence/state            # class >= 2
-ruview/<node_id>/bfld/identity_risk/state         # class == 2 only
-ruview/<node_id>/bfld/raw                         # class 1, OFF by default
-ruview/<node_id>/bfld/availability                # online/offline marker
-```
-
-`raw` (class-1 derived BFI) is **not present** in the discovery payload at all — operators must explicitly subscribe and acknowledge the research-mode caveat. The publishing crate emits `MQTT_RAW_DISABLED` to availability when `privacy_class < 1`.
-
-### 2.3 Mosquitto ACL example
-
-```
-# Default-deny everything not explicitly granted
-pattern read  ruview/+/bfld/+/state
-pattern read  ruview/+/bfld/availability
-
-# Public roles cannot read identity_risk or raw
-user public
-deny  read ruview/+/bfld/identity_risk/state
-deny  read ruview/+/bfld/raw
-
-# Operator role can read identity_risk for diagnostics
-user operator
-allow read ruview/+/bfld/identity_risk/state
-
-# Research role can read raw (requires class-1 operation)
-user research
-allow read ruview/+/bfld/raw
-```
-
-The cog ships a default ACL template under `cog-ha-matter/etc/mosquitto.acl.d/bfld.conf` for operators who use the embedded broker (ADR-116 §2.2).
-
-### 2.4 Matter cluster boundary
-
-`cog-ha-matter` exposes BFLD via **three Matter clusters** only:
-
-| Matter cluster | Source entity | Notes |
-|---|---|---|
-| Occupancy Sensing (0x0406) | `binary_sensor.<node>_bfld_presence` | reports binary occupancy + uncertainty (mapped from `confidence`) |
-| Boolean State (0x0045) | `sensor.<node>_bfld_motion >= 0.3` | thresholded; raw motion not exposed |
-| Occupancy Sensing extension | `sensor.<node>_bfld_person_count` | uses occupancy-sensor count where Matter spec supports |
-
-**Explicitly NOT exposed via Matter**:
-
-- `identity_risk_score`
-- `rf_signature_hash`
-- `identity_embedding`
-- `raw` BFI
-- `zone_activity` (zone IDs are site-specific and Matter is a cross-site surface)
-- `confidence` (HA-only diagnostic)
-
-The Matter filter is implemented in `cog-ha-matter/src/matter/bfld_filter.rs` as a `MatterSink` trait impl that rejects classes 0 and 1 at compile time (via ADR-120 §2.2 marker types).
-
-### 2.5 Federation with cognitum-v0
-
-`cognitum-rvf-agent` (port 9004) receives BFLD events from multiple nodes. The events arriving at the federation hub are **already class-2/3** — identity-derived fields were stripped at each publishing node. The hub does not see and cannot reconstruct raw BFI or identity embeddings.
-
-The federation contract:
-
-| At publishing node | At cognitum-rvf-agent |
-|---|---|
-| Strip class-0/1 fields per ADR-120 | Receive class-2/3 events only |
-| Rotate `rf_signature_hash` per ADR-120 §2.3 | Aggregate counts; **do not** correlate hashes across sites |
-| Sign event with node Ed25519 key | Verify signature; reject unsigned events |
-
-A `federation-witness` script (extending ADR-028) runs nightly on the hub and proves that no class-0/1 fields appeared in any received event over the previous 24 h.
-
-### 2.6 HA blueprints (shipped with the cog)
-
-Three operator-ready blueprints under `cog-ha-matter/blueprints/`:
-
-1. **Presence-driven lighting** — `binary_sensor.*_bfld_presence` ⇒ `light.turn_on/off` with configurable hold time.
-2. **Motion-aware HVAC** — `sensor.*_bfld_motion > 0.3` ⇒ raise HVAC setpoint by ΔT.
-3. **Identity-risk anomaly notification** — `sensor.*_bfld_identity_risk` exceeds rolling z-score threshold ⇒ HA `notify.*` to the operator with the originating node and the 7-day baseline.
-
-### 2.7 Soul Signature deployment posture
-
-When the cog is compiled with `--features soul-signature`, two additional HA entities are exposed **at class 1 only**, and **never** over Matter:
-
-| Entity ID | Type | Source | Class gate | Matter |
-|-----------|------|--------|------------|--------|
-| `sensor.<node>_soul_match_id` | string (opaque `person_id`) | Soul Signature match oracle | == 1 only | **rejected** |
-| `sensor.<node>_soul_match_score` | gauge `[0,1]` | Match similarity | == 1 only | **rejected** |
-| `sensor.<node>_soul_enrollment_quality` | gauge `[0,1]` | Mirror of `identity_risk_score` during enrollment | == 1 only | **rejected** |
-
-These entities are part of the consent-based diagnostic surface for operators running Soul Signature deployments (care homes with explicit GDPR Art. 9 basis, employment with consent, etc.). The Matter cluster boundary in §2.4 already rejects them by type — the `MatterSink` impl only accepts class-2/3 frames, so `soul_match_id` is structurally unreachable through Matter.
-
-Class-3 deployments **disable Soul Signature** entirely: the `match_against_enrolled()` call returns `MatchOutcome::Suppressed` and no soul entities are published. This makes class 3 the correct setting for any deployment where consent is uncertain or where regulators require Soul Signature to be unavailable.
-
-A fourth blueprint ships only when `--features soul-signature` is enabled:
-
-4. **Enrolled-person arrival notification** — `sensor.*_soul_match_id` transitions to a non-null value ⇒ HA `notify.*` to the enrolled person's configured contact (typically themselves or a designated caregiver). Default off; operator must opt in per enrolled person.
-
----
-
-## 3. Consequences
-
-### Positive
-
-- Six new HA entities give operators a complete BFLD diagnostic dashboard without leaking identity.
-- Matter exposure is structurally narrow — the cluster-filter implementation cannot accidentally expose identity fields because the type system rejects them.
-- The default ACL template gives operators a working privacy posture out of the box.
-- The federation contract makes it explicit that the hub cannot reconstruct identity even from the union of all node events.
-
-### Negative
-
-- The `identity_risk` HA entity exists only under class 2. Operators who run class 3 deployments cannot see the score even in their own dashboard. This is correct but may surprise care-home installers; documentation must be clear.
-- Three Matter clusters is conservative — some HA users may want the count exposed as a percentage or rate, which Matter does not support natively.
-- HA-blueprint coverage is intentionally small; operators wanting custom automations must work through the YAML surface.
-
-### Neutral
-
-- The federation witness script runs nightly. A short-duration leak between witnesses is possible but bounded — any successful exfiltration of class-1 fields would still need to be reconstructed into identity, which the daily hash rotation breaks.
-
----
-
-## 4. Alternatives Considered
-
-### Alt 1: Expose `identity_risk` over Matter (Generic Sensor cluster)
-
-Rejected: Matter is a cross-vendor surface; exposing identity-risk there leaks the score to every Matter controller in the home, including third-party hubs the operator may not control. Keep it HA-internal.
-
-### Alt 2: One unified MQTT topic `ruview/<node>/bfld` with JSON payload
-
-Rejected: per-entity topics are the HA-DISCO convention (ADR-115) and let ACLs be field-specific. A unified topic forces an all-or-nothing read policy.
-
-### Alt 3: Federate raw BFI to cognitum-v0 for cross-node analytics
-
-Rejected: violates ADR-120 I1 (raw never leaves the node). Aggregates are sufficient for cross-node analytics; raw centralization is a hard no.
-
-### Alt 4: Default `entity_category: diagnostic = false` for `identity_risk`
-
-Rejected: promoting `identity_risk` to a main-card sensor would surprise operators with an identity-adjacent gauge on their main dashboard. Diagnostic category is the right default.
-
----
-
-## 5. Acceptance Criteria
-
-- [ ] **AC1**: HA auto-discovery publishes six new entities per node on first connect; HA recognizes all six.
-- [ ] **AC2**: Under privacy class 3, `sensor.<node>_bfld_identity_risk` is absent from the MQTT discovery payload.
-- [ ] **AC3**: `MatterSink::publish` rejects any frame at compile time when the source has `privacy_class < 2`.
-- [ ] **AC4**: The default mosquitto ACL denies `read ruview/+/bfld/identity_risk/state` to the `public` user role.
-- [ ] **AC5**: Three HA blueprints install cleanly into a fresh HA install and trigger their configured actions against a mock BFLD event stream.
-- [ ] **AC6**: The federation-witness script detects an injected class-1 field in a synthetic event and exits non-zero.
-- [ ] **AC7**: Matter occupancy-sensing cluster reports presence within 1 s of an HA `binary_sensor.*_bfld_presence` state change.
-
----
-
-## 6. References
-
-- ADR-115 (HA-DISCO entity scheme)
-- ADR-116 (`cog-ha-matter` cog packaging)
-- ADR-120 (privacy class enforcement)
-- ADR-121 (identity risk source)
-- ADR-100 (cog packaging spec)
-- Mosquitto ACL reference: https://mosquitto.org/man/mosquitto-conf-5.html
-- Matter spec — Occupancy Sensing cluster (0x0406)
-- Cognitum V0 appliance dashboard: `http://cognitum-v0:9000/`

docs/adr/ADR-123-bfld-capture-path-nexmon-and-esp32.md

@@ -1,186 +0,0 @@
-# ADR-123: BFLD Capture Path — Pi 5 / Nexmon Adapter and ESP32-S3 Feasibility
-
-| Field | Value |
-|-------|-------|
-| **Status** | Proposed |
-| **Date** | 2026-05-24 |
-| **Deciders** | ruv |
-| **Parent** | [ADR-118](ADR-118-bfld-beamforming-feedback-layer-for-detection.md) |
-| **Relates to** | [ADR-022](ADR-022-multi-bssid-wifi-scanning.md) (multi-BSSID scan), [ADR-028](ADR-028-esp32-capability-audit.md) (capability audit), [ADR-095](ADR-095-rvcsi-edge-rf-sensing-platform.md) (rvCSI), [ADR-096](ADR-096-rvcsi-ffi-crate-layout.md) (rvCSI FFI), [ADR-110](ADR-110-esp32-c6-firmware-extension.md) (C6 firmware), [ADR-119](ADR-119-bfld-frame-format-and-wire-protocol.md) (BfldFrame) |
-| **Tracking issue** | TBD |
-
----
-
-## 1. Context
-
-ADR-118 declares that BFLD captures BFI from commodity WiFi 5/6 traffic. The question this sub-ADR answers is: **on which hardware, with which adapter, and against which firmware limitations**.
-
-### 1.1 ESP32-S3 BFI capability gap
-
-The ESP32 capability audit (ADR-028) and the ESP32-S3 / C6 firmware (`firmware/esp32-csi-node/`, ADR-110) confirm that the Espressif WiFi API exposes **CSI** capture (`esp_wifi_set_csi_*`) but does not expose **raw 802.11 management-frame capture** in monitor mode for non-self-addressed CBFR reports. The S3 sees the CBFR frames its own AP-link generates (when it acts as a beamformer), but it cannot promiscuously sniff CBFR frames between other STA/AP pairs in the neighborhood.
-
-The C6 (ESP32-C6 with RISC-V + Wi-Fi 6) has a more flexible RF subsystem but the same software-API constraint at the time of writing.
-
-### 1.2 Pi 5 / Nexmon as the production capture host
-
-The rvCSI platform (ADR-095/096) already vendors a Nexmon-based adapter (`rvcsi-adapter-nexmon`) that captures CSI from BCM43455c0 chips (Pi 5 / Pi 4 / Pi 3B+). Nexmon patches the firmware to surface CSI to userspace and **also surface CBFR frames** — the BFI extension is the same code path with a different filter.
-
-cognitum-v0 (Pi 5 in the fleet, per CLAUDE.local.md) is already running Nexmon + the rvCSI runtime. It is the natural BFLD capture host.
-
-### 1.3 What we need from each hardware tier
-
-| Tier | Role | BFI capture | CSI capture | Notes |
-|------|------|-------------|-------------|-------|
-| ESP32-S3 / C6 | Sensing leaf | **no** | yes | Continues providing CSI to the existing pipeline |
-| Pi 5 / Nexmon | BFLD host | **yes** | yes (via Nexmon) | Primary BFLD capture |
-| ruvultra (RTX 5080 + AX210) | Training / dev | yes (via AX210 monitor mode) | yes | Dev capture; not production |
-| cognitum-v0 (Pi 5) | Appliance | **yes** (production) | yes | Production BFLD host |
-
----
-
-## 2. Decision
-
-### 2.1 Production capture path: Pi 5 / Nexmon
-
-The BFLD production capture path is implemented as a new module in the vendored rvCSI submodule:
-
-```
-vendor/rvcsi/crates/rvcsi-adapter-nexmon/
-└── src/
-    ├── lib.rs
-    ├── csi.rs                  # existing CSI capture
-    └── bfi.rs                  # NEW — CBFR capture, exports BfiCapture
-```
-
-The new `bfi.rs` parses CBFR frames (VHT or HE) from the Nexmon-patched firmware's userspace stream, extracts Φ/ψ angle matrices, and emits a `BfiCapture` struct that feeds the BFLD crate's extractor (ADR-118 §2.1, ADR-119).
-
-The patch lives in the rvcsi submodule (`github.com/ruvnet/rvcsi`) and is shipped as `rvcsi-adapter-nexmon ^0.3.5` to crates.io. The wifi-densepose workspace consumes the published crate (or the submodule path during development).
-
-### 2.2 BFLD crate adapter trait
-
-`wifi-densepose-bfld` defines a `BfiCaptureAdapter` trait:
-
-```rust
-pub trait BfiCaptureAdapter: Send + 'static {
-    type Error: std::error::Error + Send + Sync + 'static;
-    fn capture(&mut self) -> Result<Option<BfiCapture>, Self::Error>;
-    fn capabilities(&self) -> AdapterCapabilities;
-}
-
-pub struct AdapterCapabilities {
-    pub supports_he: bool,           // 802.11ax (Wi-Fi 6)
-    pub supports_160mhz: bool,
-    pub max_n_rx: u8,
-    pub host_kind: HostKind,         // Pi5Nexmon | Ax210Linux | EspS3Local | Mock
-}
-```
-
-Three impls ship initially:
-
-- `NexmonBfiAdapter` — Pi 5 / Nexmon (production)
-- `Ax210BfiAdapter` — Linux + AX210 in monitor mode (dev / training, ruvultra)
-- `MockBfiAdapter` — replay fixture for tests and CI
-
-A future fourth impl (`EspS3LocalAdapter`) is reserved for the day Espressif exposes promiscuous CBFR — it captures only the S3's own AP-link BFI for local self-reporting.
-
-### 2.3 Capture-side privacy boundary
-
-Per ADR-120 I1, raw BFI never leaves the capturing host. The adapter must therefore live on **the same physical box** as the BFLD crate's extractor and privacy gate. The architecture pattern:
-
-```
-[ Pi 5 / cognitum-v0 ]
-├── nexmon firmware (kernel)
-├── rvcsi-adapter-nexmon (userspace, captures BFI)
-├── wifi-densepose-bfld (extracts, scores, gates)
-│       └── privacy_gate → class-2/3 frames only
-└── wifi-densepose-sensing-server (publishes MQTT + Matter)
-```
-
-A network-mode adapter that streams raw BFI from a remote capture host is **explicitly forbidden**. The adapter trait does not include any "remote URL" parameter.
-
-### 2.4 Channel / bandwidth coverage
-
-The Nexmon adapter is configured by the existing `rvcsi-adapter-nexmon` channel-hopping schedule (ADR-095 §3.2). For BFLD it adds:
-
-- Filter for VHT CBFR (action frame, category 21, action 0) and HE CBFR (category 30, action 0).
-- Per-channel BFI session-tracking — the same beamformer/beamformee pair across a channel hop is reconciled by AP MAC + STA MAC.
-
-### 2.5 ESP32-S3 local self-reporting (deferred)
-
-For deployments without a Pi 5 / cognitum-v0 nearby, a degraded BFLD mode runs on the ESP32-S3 itself:
-
-- Captures only its own AP-link CBFR (self-addressed).
-- Computes features over the limited window.
-- Reports a coarsened `presence` + `motion` only — no `identity_risk_score` (insufficient sample diversity).
-- Emits `BfldFrame` at `privacy_class = 2` with a `flags.bit3 = self_only` marker.
-
-This path is implemented in firmware as part of P2 / P3 of the ADR-118 rollout, after the Pi 5 path is stable. Effort is small (firmware path reuses the existing CSI capture loop) but the value is also low until ESP32 firmware exposes promiscuous CBFR — which is a Espressif-IDF roadmap item, not under project control.
-
-### 2.6 Dev path: ruvultra / AX210
-
-For local dev iteration on the Windows / ruvultra box, the AX210 adapter provides a workable capture path on Linux (ruvultra is Ubuntu 6.17 per CLAUDE.local.md). The AX210 supports 802.11ax + monitor mode with the `iwlwifi` driver patches that have landed upstream. This path is for training-data collection and dev testing, not production.
-
----
-
-## 3. Consequences
-
-### Positive
-
-- BFLD ships as a production-ready surface on cognitum-v0 day one — no new hardware procurement.
-- The adapter-trait design lets new capture paths (AX211, MediaTek Filogic, etc.) slot in without changes to the BFLD crate.
-- The capture-side privacy boundary is structural: there is no remote-capture code path, so a future PR cannot accidentally introduce one.
-- ruvultra's AX210 path unblocks training and dev iteration on Linux without depending on the Pi 5 fleet.
-
-### Negative
-
-- BFLD's full pipeline depends on cognitum-v0 (or another Pi 5 / Nexmon host) being present in the deployment. Operators without a Pi 5 get only the degraded ESP32-S3 self-reporting path (limited utility).
-- Nexmon is a third-party kernel module; tracking upstream patches is ongoing maintenance.
-- The CBFR frame format differs between VHT (802.11ac) and HE (802.11ax); the parser must support both, and any 802.11be (Wi-Fi 7) deployment will require an additional parser path.
-
-### Neutral
-
-- ruvultra dev path uses AX210; the AX210 is not the production NIC, so dev/prod parity is via the fixture replay + the Nexmon adapter on cognitum-v0.
-
----
-
-## 4. Alternatives Considered
-
-### Alt 1: Centralized capture host streams raw BFI to RuView nodes
-
-Rejected: violates ADR-120 I1 (raw never leaves the capture host). The capture host **is** the BFLD node; there is no separation.
-
-### Alt 2: Wait for Espressif promiscuous CBFR support
-
-Rejected: indefinite timeline outside project control. The Pi 5 / Nexmon path is shippable today.
-
-### Alt 3: Custom Pi 5 firmware fork instead of Nexmon
-
-Rejected: forking BCM firmware is a huge maintenance burden and Nexmon already does what we need.
-
-### Alt 4: Only ship the ESP32-S3 self-reporting path
-
-Rejected: insufficient sample diversity for `identity_risk_score`. The whole point of BFLD is to measure identity leakage; a self-only path cannot do that meaningfully.
-
----
-
-## 5. Acceptance Criteria
-
-- [ ] **AC1**: `NexmonBfiAdapter` captures ≥ 100 valid CBFR frames per minute from a 2-AP-3-STA test bench on a Pi 5 (cognitum-v0).
-- [ ] **AC2**: VHT (802.11ac) and HE (802.11ax) CBFR frames are both parsed; mixed-PHY captures produce correctly-typed `BfiCapture` outputs.
-- [ ] **AC3**: 20/40/80/160 MHz channel widths are all supported (one fixture each in `tests/`).
-- [ ] **AC4**: `BfiCaptureAdapter` trait has no method accepting a remote URL or socket address.
-- [ ] **AC5**: ESP32-S3 self-only adapter compiles `#[no_std]` and produces a `BfldFrame` with `flags.bit3 = self_only` set, no `identity_risk_score` field.
-- [ ] **AC6**: AX210 adapter on ruvultra captures CBFR for at least one fixture-generating dev session.
-- [ ] **AC7**: Capture loop sustains 10 Hz BFI frame rate on cognitum-v0 without dropping frames over a 10-minute soak test.
-
----
-
-## 6. References
-
-- ADR-095 / ADR-096 (rvCSI Nexmon adapter)
-- ADR-028 (ESP32 capability audit)
-- ADR-110 (ESP32-C6 firmware)
-- Nexmon BCM43455c0 patches: https://github.com/seemoo-lab/nexmon
-- Wi-BFI: https://arxiv.org/abs/2309.04408
-- IEEE 802.11-2020 §19.3.12 (VHT CBFR), §27.3.11 (HE CBFR)
-- cognitum-v0 fleet entry: `CLAUDE.local.md` (Tailscale fleet table)

docs/adr/ADR-124-rvagent-mcp-ruvector-npm-integration.md

@@ -1,466 +0,0 @@
-# ADR-124: rvagent — MCP (stdio + Streamable HTTP) + ruvector npm/TypeScript library for RuView with ruflo integration
-
-| Field | Value |
-|-------|-------|
-| **Status** | Proposed |
-| **Date** | 2026-05-24 |
-| **Deciders** | ruv |
-| **Codename** | **SENSE-BRIDGE** — a typed bridge between the RuView sensing stack and the MCP agent ecosystem |
-| **Relates to** | [ADR-055](ADR-055-integrated-sensing-server.md) (sensing-server), [ADR-095](ADR-095-rvcsi-edge-rf-sensing-platform.md) (rvCSI), [ADR-097](ADR-097-adopt-rvcsi-as-ruview-csi-runtime.md) (rvCSI adoption), [ADR-115](ADR-115-home-assistant-integration.md) (HA-DISCO), [ADR-116](ADR-116-cog-ha-matter-seed.md) (Seed cog), [ADR-117](ADR-117-pip-wifi-densepose-modernization.md) (PIP-PHOENIX), [ADR-118](ADR-118-bfld-beamforming-feedback-layer-for-detection.md) (BFLD) |
-| **Tracking issue** | TBD |
-
----
-
-## 1. Context
-
-### 1.1 The access-layer gap
-
-The RuView / wifi-densepose Rust stack exposes sensing data through three surfaces: a Tokio/Axum HTTP REST API and WebSocket at `wifi-densepose-sensing-server` (ADR-055); an MQTT namespace under `ruview/<node_id>/*` (ADR-115); and an rvCSI edge runtime (ADR-095/096). None of these surfaces speaks Model Context Protocol (MCP).
-
-MCP is the dominant inter-process contract through which AI assistants (Claude, GPT, Codex) invoke external capabilities in 2026. Without an MCP bridge, RuView's sensing primitives are invisible to AI-driven automation workflows. An agent cannot ask "who is in the room?" or "subscribe me to fall alerts" without bespoke HTTP integration code in every consuming agent.
-
-Two concrete user stories that SENSE-BRIDGE resolves:
-
-1. A developer has a Claude Code session and wants to call `vitals.get_heart_rate` from a prompt — today this requires them to write an HTTP fetch, parse JSON, and handle WebSocket reconnect logic; with SENSE-BRIDGE they install `@ruvnet/rvagent` and the tool is available immediately via `claude mcp add rvagent`.
-2. A ruflo-orchestrated multi-agent swarm needs real-world presence data to gate a workflow: SENSE-BRIDGE gives the swarm an MCP tool call with the same `mcp__claude-flow__*` signature pattern already used for all other ruflo tools (CLAUDE.md §Ruflo Automation Primitives).
-
-### 1.2 What rvagent is today
-
-Research of the ruvnet npm registry profile and the ruflo GitHub repository (issue #1689) establishes that **rvagent is not yet a published standalone npm package** as of 2026-05-24. The name "rvagent" appears in the ruflo project exclusively as a WASM artifact (`rvagent_wasm_bg.wasm`, 588 KB) bundled with the RuFlo Web UI (PR #1687). That artifact exports 13 WASM functions including `callMcp`, `executeTool`, `listTools`, `listGalleryTemplates`, `searchGalleryTemplates`, and `loadGalleryTemplate`. It is an in-browser MCP client runner, not a RuView-specific MCP server.
-
-There is no `rvagent` package on the npm registry as of this writing. The npm name is therefore available (Q1 in §8). The package name to register is `@ruvnet/rvagent` (scoped form, reduces name-squatting risk) or `rvagent` (unscoped form, simpler `npx` invocation). This ADR proposes `@ruvnet/rvagent`.
-
-The WASM `callMcp` / `executeTool` surface of the existing ruflo rvagent is the functional model for what the new npm package should expose in TypeScript — but the new package is a **server**, not a client, and its tools are RuView-domain-specific rather than general ruflo-gallery tools.
-
-### 1.3 MCP transport landscape as of 2026-05-24
-
-The MCP specification shipped version `2025-03-26` (Streamable HTTP) and `2025-06-18` (current stable) replacing the legacy `2024-11-05` HTTP+SSE transport. Key facts relevant to this ADR:
-
-- **stdio** remains the recommended local transport. Clients launch the MCP server as a subprocess; the server reads JSON-RPC from stdin and writes to stdout. This is the path `claude mcp add <name> -- npx @ruvnet/rvagent stdio` uses (CLAUDE.md §Quick Setup mirrors this pattern for the claude-flow MCP server).
-- **Streamable HTTP** (colloquially "SSE" in earlier documentation) replaces the deprecated pure-SSE transport. A single HTTP endpoint at e.g. `POST /mcp` accepts JSON-RPC requests and may respond with `Content-Type: text/event-stream` for streaming, or `application/json` for single-turn responses. The server must validate `Origin` headers and bind to `127.0.0.1` by default (MCP spec security requirement).
-- The `@modelcontextprotocol/sdk` npm package (latest stable at time of writing) ships `Server`, `StdioServerTransport`, and `StreamableHTTPServerTransport`. A single `Server` instance can be connected to both transports simultaneously by calling `server.connect(transport)` for each.
-- The legacy `SSEServerTransport` from protocol version `2024-11-05` is deprecated but still ship-able for backwards compatibility with older Claude desktop clients. SENSE-BRIDGE will support it behind an `--legacy-sse` flag for a single release cycle, then remove it.
-
-### 1.4 ruvector npm surface
-
-The `ruvector` npm package (version 0.2.x, latest 0.2.25 as of ~2026-05-01) is a napi-rs WASM/Node.js binding of the RuVector Rust crate. It provides:
-
-- HNSW in-memory vector index (sub-0.5 ms query latency, 50 K+ QPS single-threaded)
-- 50+ attention mechanisms from the RuVector Rust crate
-- FlashAttention-3 SIMD path
-- Graph Neural Network support via `@ruvector/gnn`
-- Full TypeScript types; ships both ESM and CJS
-
-The `ruvector` package is already a dependency in the existing Rust workspace's napi-rs node bindings (`ruvector-node` crate, version 0.1.29 on crates.io). The npm package and the Rust crate are developed in the same repository (`github.com/ruvnet/ruvector`). SENSE-BRIDGE can depend on `ruvector` directly without needing to add new Rust FFI — the vector ops needed (HNSW index of pose keypoints, embedding storage for AETHER person re-ID) are already exposed in the npm package's public surface.
-
-### 1.5 ruflo integration context
-
-The project's `CLAUDE.md` documents the 3-tier model routing (ADR-026) and the `mcp__claude-flow__*` tool namespace. ruflo exposes 314 native MCP tools. SENSE-BRIDGE adds a new domain namespace `mcp__rvagent__*` that represents RuView sensing capabilities, parallel to but separate from the ruflo tools. The boundary is:
-- **ruflo**: agent orchestration, memory, swarm coordination, hooks, task management
-- **rvagent / SENSE-BRIDGE**: RuView-specific sensing — presence, vitals, pose, BFLD, semantic primitives
-
-ruflo can call rvagent tools via the standard MCP tool-call mechanism; rvagent does not depend on ruflo at runtime (but may optionally use ruflo memory namespaces for persistence).
-
----
-
-## 2. Decision
-
-Ship `@ruvnet/rvagent` as a standalone npm TypeScript library that:
-
-1. Exposes a **dual-transport MCP server** (stdio + Streamable HTTP) wrapping RuView sensing primitives.
-2. Uses `ruvector` (npm) as the vector storage layer for pose embeddings and AETHER-class semantic search, with no reimplementation of vector ops in TypeScript.
-3. Mirrors the Python `wifi_densepose.client.*` surface (ADR-117 P4 — `python/wifi_densepose/client/ws.py`, `mqtt.py`, `primitives.py`) in TypeScript for parity across runtimes.
-4. Integrates as a ruflo plugin via the `ruflo-plugin` manifest convention, exposing tools in the `mcp__rvagent__*` namespace callable by ruflo agents.
-5. Ships strict TypeScript source, ESM + CJS dual output, Node.js 20+ minimum, type definitions in the tarball, zero bundler required.
-
----
-
-## 3. Transport comparison
-
-| Dimension | stdio | Streamable HTTP |
-|---|---|---|
-| **Launch mechanism** | Client forks `npx @ruvnet/rvagent stdio` as subprocess | Client POSTs to `http://host:port/mcp` |
-| **Primary use case** | Claude Code, Cursor, IDE plugins — local developer flow | Remote agents, ruflo swarms on separate hosts, browser-based dashboards |
-| **Connection state** | One client per server process; process dies with client | Multiple clients per server process; stateless or session-keyed |
-| **Streaming** | Newline-delimited JSON on stdout | `text/event-stream` response body |
-| **Auth** | None needed (process-level isolation) | Bearer token or mTLS required (per MCP spec security rules) |
-| **RuView sensing-server connectivity** | Server process holds a single WebSocket + MQTT connection to sensing-server; results forwarded to client via JSON-RPC | Server process holds a connection pool; session affinity via `Mcp-Session-Id` header |
-| **Tailscale fleet** | Works on local node only | Works across Tailscale fleet (cognitum-v0, cognitum-seed-1, ruvultra) with DNS name |
-| **Origin validation** | Not applicable | Required; server MUST reject cross-origin requests unless CORS policy explicitly permits |
-| **Resumability** | Not applicable (process is co-located) | Optional `Last-Event-ID` header for stream resumption after reconnect |
-| **Logging** | stderr — captured by Claude Code, displayed in conversation | Structured JSON to stdout, shipped to ruflo observability (ADR-observability) |
-| **Process lifecycle** | Ephemeral — exits when Claude Code session ends | Long-lived — suitable for always-on sensing daemon |
-| **When to choose** | Single developer, local ESP32 (COM9), quick scripting | Fleet deployment, multi-agent ruflo swarms, web dashboards |
-
-Both transports are served by the same `Server` instance from `@modelcontextprotocol/sdk`. The only difference is the `Transport` class passed to `server.connect()`.
-
----
-
-## 4. MCP tool catalog
-
-All tools are in the `ruview` namespace. Input schemas below are TypeScript interface stubs; output types mirror the Python dataclasses from `python/wifi_densepose/client/ws.py` and `primitives.py`.
-
-### 4.1 Tool catalog table
-
-| Tool name | Input interface | Return shape | RuView surface wrapped |
-|---|---|---|---|
-| `ruview.presence.now` | `{ node_id?: string }` | `{ node_id: string; present: boolean; n_persons: number; confidence: number; timestamp_ms: number }` | `EdgeVitalsMessage.presence` / `EdgeVitalsMessage.n_persons` (ws.py:74-88) |
-| `ruview.vitals.get_breathing` | `{ node_id?: string; window_s?: number }` | `{ node_id: string; breathing_rate_bpm: number \| null; confidence: number; timestamp_ms: number }` | `EdgeVitalsMessage.breathing_rate_bpm` (ws.py:82) |
-| `ruview.vitals.get_heart_rate` | `{ node_id?: string; window_s?: number }` | `{ node_id: string; heartrate_bpm: number \| null; confidence: number; timestamp_ms: number }` | `EdgeVitalsMessage.heartrate_bpm` (ws.py:83) |
-| `ruview.vitals.get_all` | `{ node_id?: string }` | `EdgeVitalsResult` (all fields of `EdgeVitalsMessage` except `raw`) | Full `EdgeVitalsMessage` (ws.py:74-88) |
-| `ruview.pose.latest` | `{ node_id?: string }` | `{ node_id: string; persons: PosePersonResult[]; confidence: number; timestamp_ms: number }` | `PoseDataMessage` (ws.py:91-98) |
-| `ruview.pose.subscribe` | `{ node_id?: string; duration_s: number; callback_url?: string }` | `{ subscription_id: string; started_at: number; expires_at: number }` | WS stream — streams `PoseDataMessage` events for `duration_s` seconds |
-| `ruview.primitives.get` | `{ node_id?: string; primitive: SemanticPrimitiveKind }` | `SemanticPrimitiveResult` | `SemanticPrimitive` + `SemanticPrimitiveEvent` (primitives.py:36-75) |
-| `ruview.primitives.list_active` | `{ node_id?: string }` | `{ primitives: SemanticPrimitiveResult[] }` | All 10 ADR-115 semantic primitives (primitives.py:36-45) |
-| `ruview.primitives.subscribe` | `{ node_id?: string; primitive?: SemanticPrimitiveKind; duration_s: number }` | `{ subscription_id: string; expires_at: number }` | MQTT topic `homeassistant/+/wifi_densepose_<node>/+/state` (mqtt.py:8-9) |
-| `ruview.bfld.last_scan` | `{ node_id?: string }` | `{ node_id: string; identity_risk_score: number; privacy_class: number; n_frames: number; timestamp_ms: number }` | MQTT `ruview/<node_id>/bfld/scan_result` (ADR-118/ADR-121) |
-| `ruview.bfld.subscribe` | `{ node_id?: string; duration_s: number }` | `{ subscription_id: string; expires_at: number }` | MQTT `ruview/<node_id>/bfld/*` |
-| `ruview.node.list` | `{ }` | `{ nodes: NodeInfo[] }` | MQTT discovery + REST `/api/nodes` |
-| `ruview.node.status` | `{ node_id: string }` | `NodeStatusResult` | REST `/api/status` or MQTT will-message |
-| `ruview.vector.search_pose` | `{ query_embedding: number[]; k?: number; node_id?: string }` | `{ matches: VectorMatch[] }` | `ruvector` HNSW index of stored pose keypoints (ADR-016) |
-| `ruview.vector.store_pose` | `{ pose: PosePersonResult; node_id: string }` | `{ vector_id: string }` | `ruvector` HNSW upsert |
-
-### 4.1a Policy / governance tools (RUVIEW-POLICY)
-
-**Added 2026-05-24 per maintainer review.** Once tools can answer "who is in the room?", the library is no longer middleware — it is environmental intelligence infrastructure, and that changes the trust model. Every sensing tool above MUST route through this policy layer before returning data. The layer is enforced server-side in the MCP server, not client-side, so a malicious or misconfigured agent cannot bypass it.
-
-| Tool name | Input interface | Return shape | Purpose |
-|---|---|---|---|
-| `ruview.policy.can_access_vitals` | `{ agent_id: string; node_id: string; vital: "breathing" \| "heart_rate" \| "all" }` | `{ allowed: boolean; reason: string; expires_at?: number }` | Gate every `ruview.vitals.*` call. Default-deny when no policy is registered for the (agent_id, node_id) pair. |
-| `ruview.policy.can_query_presence` | `{ agent_id: string; scope: "node" \| "fleet"; node_id?: string; zone?: string }` | `{ allowed: boolean; reason: string; redactions?: string[] }` | Fleet-scope presence queries (e.g. "is anyone home?") require explicit scope grant; node-scope is the safer default. |
-| `ruview.policy.can_subscribe` | `{ agent_id: string; topic: string; duration_s: number }` | `{ allowed: boolean; max_duration_s: number; reason: string }` | Subscriptions can be denied entirely or capped to a shorter duration than requested (e.g. agent asks for 1 h, policy returns 5 min). |
-| `ruview.policy.redact_identity_fields` | `{ payload: Record<string, unknown>; agent_id: string }` | `{ payload: Record<string, unknown>; redacted_fields: string[] }` | Server-side redaction pass applied to every tool return value. Strips `sta_mac`, raw BFLD matrices, and any keypoint set marked `privacy_class >= 2` per ADR-120. Called automatically by the MCP server; agents never see the un-redacted payload. |
-| `ruview.policy.audit_log` | `{ agent_id?: string; since_ts?: number }` | `{ events: PolicyAuditEvent[] }` | Returns the policy-decision audit trail for a maintainer-tier agent. Other agents are denied even if they hold valid tool grants — auditability of the auditor is itself a policy decision. |
-
-Policy storage is a local JSON file (`~/.config/rvagent/policy.json` on Unix, `%APPDATA%\rvagent\policy.json` on Windows) backed by a CLI editor (`npx @ruvnet/rvagent policy grant ...`). Schema mirrors the ADR-010 claims-based authorization model where it exists in the Rust workspace, but the npm library keeps a self-contained store so SENSE-BRIDGE can ship without the full claims infrastructure on day one.
-
-**Default policy when no file exists**: deny `ruview.vitals.*` and `ruview.policy.audit_log`; allow `ruview.presence.now` and `ruview.node.list` (coarse, non-biometric); allow `ruview.primitives.list_active` with `redact_identity_fields` applied. This is the "explore safely" default so a new install can sanity-check the agent is wired up without leaking biometric data.
-
-### 4.2 MCP resource catalog
-
-Resources provide read-only data that can be embedded in the LLM context window.
-
-| Resource URI | Description | MIME type |
-|---|---|---|
-| `ruview://nodes` | JSON list of all discovered nodes (IP, firmware version, capabilities) | `application/json` |
-| `ruview://nodes/{node_id}/config` | Node configuration (channel, MAC filter, privacy class) | `application/json` |
-| `ruview://nodes/{node_id}/vitals/latest` | Latest `EdgeVitalsMessage` for the node | `application/json` |
-| `ruview://nodes/{node_id}/pose/latest` | Latest `PoseDataMessage` | `application/json` |
-| `ruview://nodes/{node_id}/bfld/latest` | Latest BFLD scan result | `application/json` |
-| `ruview://primitives/schema` | JSON schema for the 10 semantic primitives (ADR-115) | `application/json` |
-| `ruview://fleet/topology` | Tailscale-fleet topology (host, TS IP, role) — sourced from local CLAUDE.local.md fleet table | `text/markdown` |
-
-### 4.3 MCP prompt templates
-
-| Prompt name | Description | Arguments |
-|---|---|---|
-| `ruview.diagnose_node` | Walk the user through node connectivity check, firmware version, and live vitals stream | `{ node_id: string }` |
-| `ruview.presence_report` | Summarize presence + persons over a time window in natural language | `{ node_id: string; window_s: number }` |
-| `ruview.vitals_alert_rule` | Generate an HA automation YAML fragment for a vitals threshold alert | `{ primitive: SemanticPrimitiveKind; threshold: number }` |
-| `ruview.bfld_privacy_audit` | Produce a compliance-ready privacy audit paragraph from the last BFLD scan | `{ node_id: string }` |
-
----
-
-## 5. Dependency graph
-
-```
-@ruvnet/rvagent (npm / TypeScript)
-├── @modelcontextprotocol/sdk    ^1.x  — MCP Server, StdioServerTransport,
-│                                        StreamableHTTPServerTransport, McpError
-├── ruvector                     ^0.2  — HNSW vector index, embedding storage
-│                                        (napi-rs native bindings; NO reimplementation)
-├── zod                          ^3.x  — Input schema validation for all tool inputs
-├── ws                           ^8.x  — WebSocket client to sensing-server /ws/sensing
-│   └── @types/ws
-├── mqtt                         ^5.x  — MQTT client for ruview/<node_id>/* topics
-│                                        (replaces paho-mqtt; mqtt.js is the npm standard)
-├── node-fetch / undici           —     — HTTP client for REST endpoints on sensing-server
-└── tsup                         (dev) — ESM + CJS dual build
-
-Runtime back-ends (NOT bundled — must be reachable at runtime):
-├── wifi-densepose-sensing-server (Rust binary)
-│   ├── REST API   :3000  /api/*
-│   ├── WebSocket  :8765  /ws/sensing
-│   └── MQTT       via local broker or ruview/<node_id>/*
-├── MQTT broker    (mosquitto or broker at cognitum-v0:1883)
-└── ruvector HNSW index (in-process via napi-rs; no separate service)
-```
-
-Key integration boundary: **ruvector is purely in-process**. The HNSW index lives in the `@ruvnet/rvagent` Node.js process memory, populated from pose keypoints received over the sensing-server WebSocket. There is no separate vector service. This matches the architecture of `wifi-densepose-ruvector` (Rust crate in the workspace) which is also in-process.
-
----
-
-## 6. Python client surface parity table
-
-The Python client in `python/wifi_densepose/client/` (ADR-117 P4) is the canonical reference for the TS surface. TypeScript should mirror it so users see the same domain model across runtimes.
-
-| Python class / enum | File | TypeScript equivalent in @ruvnet/rvagent |
-|---|---|---|
-| `SensingMessage` | `ws.py:54-60` | `interface SensingMessage` |
-| `ConnectionEstablishedMessage` | `ws.py:63-70` | `interface ConnectionEstablishedMessage extends SensingMessage` |
-| `EdgeVitalsMessage` | `ws.py:74-88` | `interface EdgeVitalsMessage extends SensingMessage` |
-| `PoseDataMessage` | `ws.py:91-98` | `interface PoseDataMessage extends SensingMessage` |
-| `SensingClient` (asyncio) | `ws.py:160` | `class SensingClient` (EventEmitter-based, async iterator) |
-| `SemanticPrimitive` (enum) | `primitives.py:36-45` | `enum SemanticPrimitive` |
-| `SemanticPrimitiveEvent` | `primitives.py:60-75` | `interface SemanticPrimitiveEvent` |
-| `SemanticPrimitiveListener` | `primitives.py:84-155` | `class SemanticPrimitiveListener` |
-| `RuViewMqttClient` | `mqtt.py:56` | `class RuViewMqttClient` (wraps mqtt.js `MqttClient`) |
-| `_topic_matches` | `mqtt.py:237-257` | `function topicMatches(pattern, topic)` |
-
----
-
-## 7. Implementation plan
-
-```
-P1 ──► P2 ──► P3 ──► P4 ──► P5
-npm    MCP    MCP    ruvector  npm
-scaffold stdio  SSE   integration  publish + ruflo bridge
-```
-
-### P1 — Scaffold (1 week)
-
-**Goal**: an installable npm package skeleton that compiles and passes CI.
-
-- [ ] Create `npm/rvagent/` directory in the repo (mirrors `python/wifi_densepose/`). Do not add to `v2/` Rust workspace.
-- [ ] `package.json`: name `@ruvnet/rvagent`, version `0.1.0-alpha.1`, `type: "module"`, exports map with `./package.json`, `.` (ESM + CJS), `./stdio`, `./http`.
-- [ ] `tsconfig.json`: `strict: true`, `target: ES2022`, `module: NodeNext`, `moduleResolution: NodeNext`.
-- [ ] `tsup.config.ts`: dual `esm + cjs` build, `dts: true`.
-- [ ] Add `@modelcontextprotocol/sdk`, `ruvector`, `zod`, `ws`, `mqtt`, `tsup` as deps / devDeps.
-- [ ] CI job: `npm ci && npm run build` on `ubuntu-latest` with Node 20, 22.
-- [ ] Stub `src/index.ts` that exports package version string. Import succeeds.
-
-### P2 — MCP stdio server (2 weeks)
-
-**Goal**: `npx @ruvnet/rvagent stdio` connects to a running sensing-server over WebSocket + MQTT and exposes the tool catalog from §4.1 over stdio transport.
-
-- [ ] `src/server.ts` — create `McpServer` instance, register all tools from §4.1 with Zod input schemas. Tools that require a live sensing-server connection return a structured error `{ error: "SENSING_SERVER_UNAVAILABLE" }` rather than throwing, so the LLM gets useful context.
-- [ ] `src/transports/stdio.ts` — `StdioServerTransport` entrypoint. Reads `RUVIEW_HOST` and `RUVIEW_PORT` env vars (default `localhost:8765` WS, `localhost:3000` REST, `localhost:1883` MQTT).
-- [ ] `src/sensing/ws-client.ts` — TypeScript port of `python/wifi_densepose/client/ws.py`. Async generator yielding `SensingMessage` variants. Reconnect with exponential back-off (the Python client explicitly does not reconnect — the TS one should, because the stdio process is long-lived).
-- [ ] `src/sensing/mqtt-client.ts` — TypeScript port of `python/wifi_densepose/client/mqtt.py` using `mqtt.js ^5`. Per-pattern callbacks, `topicMatches` wildcard helper.
-- [ ] `src/sensing/primitives.ts` — `SemanticPrimitive` enum + `SemanticPrimitiveListener`. Mirror of `primitives.py`.
-- [ ] Tool implementations for the 5 highest-priority tools: `ruview.presence.now`, `ruview.vitals.get_all`, `ruview.pose.latest`, `ruview.primitives.get`, `ruview.node.list`.
-- [ ] Resource implementations: `ruview://nodes`, `ruview://nodes/{node_id}/vitals/latest`.
-- [ ] Integration test: spin up `sensing-server --mock-frames` in Docker; assert `npx @ruvnet/rvagent stdio` receives a `ruview.vitals.get_all` tool call response with non-null `breathing_rate_bpm`.
-- [ ] `claude mcp add rvagent -- npx @ruvnet/rvagent stdio` smoke-test (manual).
-
-### P3 — MCP Streamable HTTP server (2 weeks)
-
-**Goal**: `npx @ruvnet/rvagent serve --port 3100` starts an HTTP server that serves the full MCP tool catalog over Streamable HTTP (and optionally legacy SSE for backwards compat).
-
-- [ ] `src/transports/http.ts` — `StreamableHTTPServerTransport` backed by an Express 5 or Hono app (Hono preferred for lightweight edge deployability).
-- [ ] Session management: issue `Mcp-Session-Id` UUIDs on `POST /mcp` initialize; reject subsequent requests without session header with HTTP 400.
-- [ ] Origin validation: configurable `RUVIEW_ALLOWED_ORIGINS` env var; default reject all cross-origin requests (MCP spec security requirement §Streamable HTTP §Security Warning).
-- [ ] Auth: optional `RUVIEW_BEARER_TOKEN` env var. If set, require `Authorization: Bearer <token>` on all requests. This mirrors `v2/crates/wifi-densepose-sensing-server/src/bearer_auth.rs`.
-- [ ] Legacy SSE compatibility: `--legacy-sse` flag mounts the deprecated `SSEServerTransport` on `/sse` + `/message` for Claude Desktop clients on protocol version `2024-11-05`. Document this as a single-release compat shim.
-- [ ] Remaining tools from §4.1: `ruview.vitals.get_breathing`, `ruview.vitals.get_heart_rate`, `ruview.pose.subscribe`, `ruview.primitives.list_active`, `ruview.primitives.subscribe`, `ruview.bfld.last_scan`, `ruview.bfld.subscribe`, `ruview.node.status`.
-- [ ] Prompt template registrations from §4.3.
-- [ ] Integration test: `curl -X POST http://localhost:3100/mcp` with a `tools/list` request; assert the response lists all 15 tools.
-- [ ] Docker Compose entry for local fleet testing: `rvagent` HTTP container talking to `sensing-server` and `mosquitto` containers.
-
-### P4 — ruvector integration (1 week)
-
-**Goal**: `ruview.vector.search_pose` and `ruview.vector.store_pose` tools work end-to-end with a live HNSW index.
-
-- [ ] `src/vector/index.ts` — wrapper around `ruvector` napi-rs bindings. Initialise an HNSW index at server startup; expose `store(id, embedding)` and `search(embedding, k)`.
-- [ ] Pose-to-embedding pipeline: when a `PoseDataMessage` arrives from the WS client, extract the 17-keypoint array, normalise to `[-1, 1]` per keypoint coordinate, flatten to a 34-dimensional float vector, store in HNSW with `node_id:person_index:timestamp_ms` as the ID.
-- [ ] `src/vector/aether.ts` — AETHER-style cross-viewpoint search (ADR-024): given a pose embedding query, search HNSW index across all stored poses and return the top-k matches with their source node IDs. This enables cross-node person re-identification via the MCP tool without any network call between nodes.
-- [ ] Verify that the `ruvector` napi-rs binary loads correctly on Node 20 linux/x86_64, macos/arm64, and windows/amd64. Document any platform-specific caveats.
-- [ ] Index persistence: optional `RUVIEW_VECTOR_DB_PATH` env var. If set, persist the HNSW index to disk using `ruvector`'s serialise API. If unset, in-memory only (default for stdio transport).
-- [ ] Integration test: feed 100 synthetic pose frames with known clustering, assert `ruview.vector.search_pose` retrieves nearest neighbours with recall >0.9.
-
-### P5 — npm publish + ruflo bridge (1 week)
-
-**Goal**: `npm install @ruvnet/rvagent` works for consumers; ruflo agents can call `mcp__rvagent__*` tools through the standard claude-flow MCP registration.
-
-- [ ] Populate `package.json` with `publishConfig: { access: "public" }`, `engines: { node: ">=20" }`, `files` whitelist (`dist/`, `src/`, `README.md`).
-- [ ] Publish `@ruvnet/rvagent@0.1.0-alpha.1` to npm under the `@ruvnet` scope.
-- [ ] ruflo plugin manifest: create `.claude/plugins/rvagent/plugin.json` following the ruflo `plugin/` convention in the ruflo repo. The manifest registers the HTTP transport URL (configurable) and maps `mcp__rvagent__*` tool calls to the rvagent MCP server.
-- [ ] `ruview` skill in `.claude/agents/` (CLAUDE.md §Available Agents): an agent description that documents the rvagent tool namespace for ruflo orchestration.
-- [ ] `claude mcp add rvagent -- npx @ruvnet/rvagent stdio` tested against claude-flow MCP server on the local dev machine (ruvzen host on CLAUDE.local.md fleet).
-- [ ] Document the fleet deployment pattern: run `npx @ruvnet/rvagent serve` on cognitum-v0 (Tailscale IP 100.77.59.83, port 50060 range to avoid conflict with existing services; see CLAUDE.local.md services table). Register the URL as a remote MCP server in `.claude/settings.json`.
-- [ ] Publish announcement: link from project README (`docs/` link, not root README per CLAUDE.md rules).
-
----
-
-## 8. Open questions
-
-**Q1. npm package name availability**
-`rvagent` (unscoped) does not appear in the npm registry as of 2026-05-24 based on search results. `@ruvnet/rvagent` is definitely available (the `@ruvnet` scope is owned by ruvnet per the npm profile page). Should the package be published unscoped (`rvagent`) for simpler `npx rvagent stdio` invocation, or scoped (`@ruvnet/rvagent`) for namespace clarity? The decision should be made before P5 because the npm name is permanent.
-
-**Q2. ruvector binary compatibility on Windows**
-The `ruvector` npm package is a napi-rs native addon. The project's primary development machine (ruvzen) is Windows 11. It is not confirmed whether `ruvector@0.2.25` ships a prebuilt Windows binary in its npm tarball or requires a Rust toolchain to compile. If no Windows binary is shipped, developers on ruvzen would need the Rust toolchain installed to use `@ruvnet/rvagent`. This must be confirmed before P5 by running `npm install ruvector` on ruvzen.
-
-**Q3. ruvector TypeScript API stability**
-ruvector `0.2.x` is not a 1.0 release. The HNSW insert and search API surface may change between minor versions. SENSE-BRIDGE P4 should pin `ruvector@~0.2.25` and document the version constraint explicitly. The question is whether ruvector publishes a changelog with breaking-change notices.
-
-**Q4. MCP tool call latency budget — RESOLVED**
-Raw sensing frequency ≠ agent interaction frequency. If a tool call ever waits on the next CSI frame, agent orchestration latency becomes physically coupled to RF acquisition jitter, which is unacceptable at scale. The library MUST take option (a) — return from a continuous local cache:
-
-1. **Continuous local cache**: on startup the rvagent MCP server opens one WebSocket + one MQTT subscription per configured sensing-server endpoint and ingests every frame into an in-memory `Map<node_id, EdgeVitalsMessage>` (plus parallel maps for `PoseDataMessage` and BFLD). Cache hits return in <1 ms regardless of CSI frame rate.
-2. **Event-driven invalidation**: the cache entry's `received_at` timestamp is bumped on every received frame. The cache itself is never purged on a timer — only overwritten when fresh data lands, so a node that went quiet still serves its last-known value.
-3. **Bounded freshness windows**: each tool accepts an optional `max_age_ms` argument (default 1000). If the cached `received_at` is older than `max_age_ms`, the tool returns `{ value: null, reason: "stale", last_seen_ms: N, threshold_ms: max_age_ms }` rather than blocking. The agent decides whether to accept the staleness, raise to the user, or escalate to a `ruview.node.status` health check.
-
-This pattern is required because P3's Streamable HTTP transport may serve dozens of concurrent agent sessions — see Q8. A shared cache + per-session freshness contract scales; per-session WS connections do not.
-
-P2 must implement this cache; P3 must verify that fanning the same cache to N concurrent HTTP sessions still maintains <1 ms median tool-call latency under load.
-
-**Q5. Subscription tool lifetime management**
-Tools `ruview.pose.subscribe`, `ruview.primitives.subscribe`, and `ruview.bfld.subscribe` return a `subscription_id` and stream events. In the stdio transport there is one client, so this is straightforward. In the HTTP transport with multiple sessions, subscription state must be tracked per `Mcp-Session-Id`. When a session expires (HTTP 404) or is deleted via HTTP DELETE, the subscription must be cleaned up. The lifecycle mechanism is not fully designed — this is a known gap that P3 must close.
-
-**Q6. AETHER embedding dimension**
-The ADR proposes a 34-dimensional pose embedding (17 keypoints × 2 coordinates). The actual AETHER embedding model (ADR-024) uses a learned contrastive encoder, not raw keypoints. If the AETHER ONNX model is available in the Rust workspace at P4 time, the embedding should use it. If not, the raw-keypoint approach is a reasonable placeholder. The question is whether `wifi-densepose-nn` exposes the AETHER encoder in a form that can be called from Node.js without bundling libtorch in the npm package.
-
-**Q7. ruflo plugin manifest format**
-The ruflo plugin convention (`plugin/` directory in the ruflo repo) is not fully documented in a public spec as of this writing. The manifest format was inferred from the `ruflo-plugins.gif` directory listing and referenced in issue #952. Before P5, the actual plugin manifest schema must be confirmed from the ruflo repo so SENSE-BRIDGE does not ship an incompatible manifest.
-
-**Q8. MQTT vs direct WebSocket for Streamable HTTP transport**
-In the stdio transport, rvagent holds a single WebSocket + single MQTT connection to the sensing-server. In the Streamable HTTP transport (potentially serving dozens of agent sessions), maintaining one connection per session is not scalable. The recommended pattern is a single shared connection per (sensing-server endpoint), multiplexed to all sessions. The implementation complexity of this fan-out is non-trivial and is not fully specified here.
-
-**Q9. Legacy SSE deprecation timeline**
-The MCP `2024-11-05` SSE transport is deprecated in the current spec but Claude Desktop versions prior to the spec `2025-03-26` update still use it. SENSE-BRIDGE proposes `--legacy-sse` for one release cycle. The question is which specific Claude Desktop version drops legacy SSE support, and whether any of the active fleet nodes (cognitum-v0, cognitum-seed-1) run a Claude Desktop version old enough to need it.
-
-**Q10. Node.js vs Bun runtime**
-The ruflo monorepo uses `bun` as the primary runtime (per `bunfig.toml` in `v3/`). Should `@ruvnet/rvagent` also support Bun? Bun's napi-rs compatibility for native addons like `ruvector` is improving but not guaranteed for 0.2.x. The P1 CI should test on Node 20 first; Bun support can be declared as a stretch goal for P5.
-
----
-
-## 9. Alternatives considered
-
-### Alt-A — Python-only client (extend ADR-117 with MCP bindings)
-
-Add `wifi_densepose.mcp` as a P6 module in the PIP-PHOENIX wheel (ADR-117). The Python MCP SDK (`mcp[cli]`) supports both stdio and HTTP transports and the PyO3 bindings give direct access to the sensing types.
-
-**Rejected because**: Python is not the dominant runtime for MCP server hosting in 2026 — the ecosystem tooling (Claude Desktop, Claude Code `mcp add`, ruflo) is TypeScript-first. A Python MCP server requires the full pip install including PyO3 bindings, which is a heavier install than `npx @ruvnet/rvagent stdio`. The ruflo plugin format is TypeScript. ADR-117 is already sizeable; adding MCP to it conflates two distinct concerns (Python developer library vs. AI agent interface). Python MCP remains a viable future addition (Q10 for a future ADR) but is not the right first-ship target.
-
-### Alt-B — Pure WebSocket/REST client without MCP framing
-
-Ship a TypeScript client library `@ruvnet/ruview-client` that wraps the sensing-server WebSocket and REST API without the MCP layer. Consumers who want MCP integration would wrap it themselves.
-
-**Rejected because**: it solves the connectivity problem but not the agent integration problem. Without MCP framing, Claude Code and ruflo agents cannot discover or call RuView capabilities through the standard `mcp__*` namespace — they would need custom prompt injection or bespoke tool definitions per agent. The whole value proposition of this ADR is that a single `claude mcp add rvagent` command makes all RuView primitives discoverable to any MCP-capable AI assistant. Splitting the library forces every consumer to re-add the MCP layer.
-
-### Alt-C — Embed MCP server inside the existing wifi-densepose-sensing-server Rust binary
-
-Add an MCP endpoint to the existing Axum server in `v2/crates/wifi-densepose-sensing-server/` (`v2/crates/wifi-densepose-sensing-server/src/main.rs`). This would use the `rmcp` Rust crate (Model Context Protocol SDK for Rust) and expose MCP over an additional port.
-
-**Rejected because**: (a) it couples the release cycle of the npm-hosted MCP interface to the firmware/Rust release cycle, which are on separate cadences — a new MCP tool that merely adds a JSON field should not require a firmware rebuild; (b) the ruflo plugin ecosystem is TypeScript and expects npm packages, not Rust binaries; (c) the ruvector vector layer is a napi-rs Node.js native module and cannot be called directly from a Rust process without going through the napi-rs server-side API, adding unnecessary complexity; (d) the sensing-server binary is already 15-30 MB stripped — adding the MCP endpoint and its JSON-RPC machinery would further bloat it. This alternative is worth revisiting if the Rust `rmcp` crate matures and the vector layer migrates fully to native Rust, but it is not appropriate for the first implementation.
-
-### Alt-D — Wrapping the existing ruflo WASM rvagent in a RuView shim
-
-The ruflo WASM rvagent (`rvagent_wasm_bg.wasm`) already exports `callMcp` / `executeTool` / `listTools`. One could define a RuView shim that registers custom tools into the ruflo WASM rvagent gallery.
-
-**Rejected because**: the ruflo WASM rvagent is an in-browser MCP *client* runner for the ruflo gallery, not a general-purpose MCP server that can expose sensing data. Its 13 exported functions are focused on template management and ruflo-gallery operations. Patching sensing tools into a browser WASM module is the wrong architecture for a server-side sensing bridge. The naming overlap is a reason to publish the new package promptly and clearly document the distinction.
-
----
-
-## 10. Compatibility
-
-### 10.1 Backwards compatibility with ADR-117 (PIP-PHOENIX) Python client
-
-SENSE-BRIDGE does not replace the Python client. Both can coexist:
-- Python integrators use `from wifi_densepose.client import SensingClient` (ADR-117).
-- TypeScript / MCP integrators use `import { SensingClient } from "@ruvnet/rvagent"`.
-- MCP-capable AI assistants use `claude mcp add rvagent -- npx @ruvnet/rvagent stdio`.
-
-All three talk to the same sensing-server backend; there is no shared state between the Python and TypeScript clients beyond what the sensing-server itself maintains.
-
-### 10.2 Sensing-server API contract
-
-SENSE-BRIDGE depends on the sensing-server WebSocket protocol documented in `v2/crates/wifi-densepose-sensing-server/src/main.rs` (referenced in `python/wifi_densepose/client/ws.py:6-13`). The three message types (`connection_established`, `pose_data`, `edge_vitals`) are stable across v0.7.x releases. If the sensing-server adds new message types, SENSE-BRIDGE follows the same pattern as the Python client: unknown `type` values yield a plain `SensingMessage` rather than an error, ensuring forward compatibility.
-
-### 10.3 MCP protocol version
-
-SENSE-BRIDGE targets MCP protocol version `2025-06-18` (current stable). It will include backwards compatibility with `2025-03-26` (Streamable HTTP without session management) and optionally `2024-11-05` (legacy SSE via `--legacy-sse` flag). Protocol version `2025-06-18` requires the `MCP-Protocol-Version` header on HTTP requests; SENSE-BRIDGE validates this per spec.
-
-### 10.4 Node.js version
-
-Minimum Node.js 20 LTS. Node 22 is supported and recommended for production (active LTS as of 2026). The `ruvector` napi-rs bindings must be confirmed compatible with both (Q2). Node 18 is EOL and explicitly not supported.
-
-### 10.5 MQTT broker compatibility
-
-SENSE-BRIDGE uses `mqtt.js ^5` which implements MQTT 3.1.1 and MQTT 5.0. The `mosquitto` local broker (CLAUDE.local.md §Local mosquitto) and cognitum-v0's MQTT stack (CLAUDE.local.md fleet table) are both compatible. TLS mode is optional via `RUVIEW_MQTT_TLS=1` env var.
-
----
-
-## 11. Consequences
-
-### 11.1 Positive consequences
-
-- Any MCP-capable AI assistant can query RuView presence, vitals, pose, and BFLD data with zero custom integration code after `claude mcp add rvagent`.
-- ruflo multi-agent swarms gain first-class access to real-world sensing data, enabling swarms to gate decisions on physical events (fall detected → page caregiver workflow).
-- The TypeScript surface provides a second reference implementation of the sensing-server client protocol alongside the Python client (ADR-117), validating the protocol design against two independent consumers.
-- The ruvector HNSW integration enables cross-node person re-identification entirely within the rvagent process — no additional network calls between sensing nodes.
-
-### 11.2 Negative consequences / risks
-
-| Risk | Likelihood | Severity | Mitigation |
-|---|---|---|---|
-| **ruvector napi-rs not building on Windows** | Medium | Medium | Confirm in P1 CI; if binaries not prebuilt, document requirement of Rust toolchain on Windows |
-| **MCP protocol churn** — spec updated twice in 2025; another update in 2026 possible | Medium | Low | Pin `@modelcontextprotocol/sdk` to a minor range; wrap SDK calls behind an internal `transport.ts` abstraction so changes are isolated |
-| **Subscription lifecycle bugs** — zombie subscriptions if session cleanup is missed | High | Medium | Implement per-session resource registry with TTL; all subscriptions auto-expire after `duration_s` even if session is not explicitly deleted |
-| **sensing-server WS disconnect** — stdio process dies if not reconnecting | Low | High | Implement exponential back-off reconnect in `ws-client.ts`; emit `{ error: "RECONNECTING" }` tool responses during gap |
-| **npm name collision** — `rvagent` taken by another publisher before P5 | Low | Medium | Publish `@ruvnet/rvagent` scoped; use that name throughout |
-| **ruflo plugin manifest incompatibility** — format not publicly specced | Medium | Medium | Confirm format in P5 preparation; use the minimal required fields only |
-| **Sensing-tool surface becomes a surveillance API** — "who is in the room" is a privacy-charged primitive | High | High | RUVIEW-POLICY layer (§4.1a) gates every sensing call; default-deny for biometric tools; redaction applied server-side so agents cannot opt out |
-
-### 11.3 Strategic implication: ambient-sensing normalization layer
-
-The MCP tool catalog in §4 is RuView-WiFi-CSI-specific today. The shape of the catalog — `presence.now`, `vitals.get_*`, `pose.latest`, `primitives.*`, `bfld.*` — is **modality-agnostic at the semantic layer**: the same tools could be backed by any sensing modality that produces the same questions.
-
-If the project later adds BLE, mmWave (e.g. the ESP32-C6 + Seeed MR60BHA2 already on COM4 per CLAUDE.md), LiDAR, thermal, camera, radar, or UWB inputs, the rvagent MCP surface stays the same. Only the source-multiplexer behind `cache.ts` changes — it now ingests from multiple modalities and resolves conflicts (e.g. WiFi CSI says "presence: true" but mmWave says "presence: false" → fusion policy decides; this is the kind of decision the RUVIEW-POLICY layer can also gate).
-
-This positions the npm package not as "a WiFi client" but as the **semantic-environment API**: agents ask "is anyone here?" without caring which radio answered. The competitive landscape (Aqara FP2, ESPHome LD2410) exposes raw telemetry; SENSE-BRIDGE exposes environmental cognition.
-
-The follow-on ADR (call it ADR-13x — RUVIEW-FUSION) would formalize the per-modality adapter contract. It is intentionally out of scope for ADR-124 — this ADR ships the WiFi-CSI path only — but the tool catalog and policy layer are designed to absorb additional modalities without API churn.
-
----
-
-## 12. Acceptance criteria
-
-The following must all pass before ADR-124 is considered Accepted:
-
-- [ ] `npm install @ruvnet/rvagent` succeeds on Node 20/22, linux/x86_64, macos/arm64, windows/amd64 with no Rust toolchain required (ruvector prebuilts must ship).
-- [ ] `npx @ruvnet/rvagent stdio` starts and responds to a `tools/list` JSON-RPC request with the 15 tools from §4.1.
-- [ ] `npx @ruvnet/rvagent serve --port 3100` starts; `curl -X POST http://localhost:3100/mcp -H "Content-Type: application/json" -d '{"jsonrpc":"2.0","method":"tools/list","id":1}'` returns the tool list.
-- [ ] `ruview.vitals.get_all` with a running `sensing-server --mock-frames` returns `breathing_rate_bpm` and `heartrate_bpm` values within 5 seconds.
-- [ ] `ruview.vector.store_pose` followed by `ruview.vector.search_pose` with the same embedding returns the stored pose as the top-1 match.
-- [ ] `claude mcp add rvagent -- npx @ruvnet/rvagent stdio` followed by `/mcp` in a Claude Code session shows the rvagent tools listed.
-- [ ] All MCP tool input schemas are validated via Zod; an invalid input returns an MCP `INVALID_PARAMS` error, not an unhandled exception.
-- [ ] TypeScript strict-mode compilation (`tsc --noEmit`) passes with zero errors.
-- [ ] `npm run build` produces both ESM (`dist/esm/`) and CJS (`dist/cjs/`) outputs with `.d.ts` type declarations.
-- [ ] The published npm tarball size is `≤ 10 MB` including the ruvector napi-rs binary for the current platform.
-
----
-
-## 13. References
-
-### This repo
-
-- `python/wifi_densepose/client/ws.py` — WebSocket client (ADR-117 P4): connection protocol, message types `connection_established`, `pose_data`, `edge_vitals`
-- `python/wifi_densepose/client/mqtt.py` — MQTT client (ADR-117 P4): topic namespaces, wildcard matching
-- `python/wifi_densepose/client/primitives.py` — Semantic primitive enum and listener (ADR-117 P4): 10 ADR-115 primitives
-- `v2/crates/wifi-densepose-sensing-server/src/main.rs` — Axum server: REST API, WebSocket endpoint `/ws/sensing`
-- `v2/crates/wifi-densepose-sensing-server/src/bearer_auth.rs` — Bearer token auth pattern for HTTP server
-- `v2/crates/wifi-densepose-sensing-server/src/semantic/` — 10 semantic primitive modules
-- `v2/crates/wifi-densepose-sensing-server/src/mqtt/` — MQTT publisher, discovery, topic routing
-- `docs/adr/ADR-055-integrated-sensing-server.md` — Sensing-server architectural context
-- `docs/adr/ADR-095-rvcsi-edge-rf-sensing-platform.md` — rvCSI edge runtime
-- `docs/adr/ADR-115-home-assistant-integration.md` — MQTT topic structure, 10 semantic primitives, 21 HA entities
-- `docs/adr/ADR-117-pip-wifi-densepose-modernization.md` — PIP-PHOENIX: Python client and PyO3 bindings (the Python-runtime parallel to this ADR)
-- `docs/adr/ADR-118-bfld-beamforming-feedback-layer-for-detection.md` — BFLD crate: `BfldEvent` MQTT topics
-- `docs/adr/ADR-024-contrastive-csi-embedding-model.md` — AETHER person re-ID embeddings
-- `docs/adr/ADR-016-ruvector-integration.md` — RuVector integration in the Rust workspace
-- `CLAUDE.md` — Project config: 3-tier model routing (ADR-026), ruflo MCP tools, `mcp__claude-flow__*` namespace
-- `CLAUDE.local.md` — Fleet table: Tailscale hosts, cognitum-v0 services table, local mosquitto pattern
-
-### External
-
-- [Model Context Protocol specification 2025-06-18](https://modelcontextprotocol.io/specification/2025-06-18/basic/transports) — Transports: stdio and Streamable HTTP
-- [MCP TypeScript SDK — github.com/modelcontextprotocol/typescript-sdk](https://github.com/modelcontextprotocol/typescript-sdk) — `Server`, `StdioServerTransport`, `StreamableHTTPServerTransport`
-- [@modelcontextprotocol/sdk on npm](https://www.npmjs.com/package/@modelcontextprotocol/sdk)
-- [ruvector on npm](https://www.npmjs.com/package/ruvector) — v0.2.25, napi-rs HNSW vector DB
-- [ruvnet npm profile](https://www.npmjs.com/~ruvnet) — confirms `@ruvnet` scope ownership
-- [RuVector GitHub](https://github.com/ruvnet/ruvector) — Rust source + napi-rs node bindings
-- [ruflo (claude-flow) GitHub](https://github.com/ruvnet/ruflo) — ruflo plugin manifest convention, `v3/` structure
-- [ruflo issue #1689](https://github.com/ruvnet/ruflo/issues/1689) — documents existing rvagent WASM exports (`callMcp`, `executeTool`, `listTools`) and distinguishes them from this ADR's server-side rvagent
-- [Why MCP Deprecated SSE — fka.dev](https://blog.fka.dev/blog/2025-06-06-why-mcp-deprecated-sse-and-go-with-streamable-http/) — rationale for Streamable HTTP over legacy SSE
-- [MCP TypeScript SDK dual-transport patterns — dev.to](https://dev.to/zoricic/understanding-mcp-server-transports-stdio-sse-and-http-streamable-5b1p)

docs/adr/ADR-125-ruview-apple-home-native-hap-bridge.md

@@ -1,285 +0,0 @@
-# ADR-125: RuView ↔ Apple Home native HAP bridge — direct HomeKit accessory advertisement from the Seed
-
-| Field | Value |
-|-------|-------|
-| **Status** | Proposed |
-| **Date** | 2026-05-25 |
-| **Deciders** | ruv |
-| **Codename** | **APPLE-FABRIC** — RuView speaks HomeKit directly so Apple HomePod / Apple TV act as the discovery + automation surface with zero Home-Assistant middle layer |
-| **Relates to** | [ADR-115](ADR-115-home-assistant-integration.md) (HA-DISCO MQTT publisher), [ADR-116](ADR-116-cog-ha-matter-seed.md) (cog-ha-matter §P7 left HAP/Matter as a feature-flag stub), [ADR-118](ADR-118-bfld-beamforming-feedback-layer-for-detection.md) (BFLD presence + identity-risk events), [ADR-122](ADR-122-bfld-ruview-ha-matter-exposure.md) (BFLD HA/Matter exposure) |
-| **Tracking issue** | TBD |
-
----
-
-## 1. Context
-
-### 1.1 The misunderstanding worth correcting once
-
-A naive integration tries to **push** data to a HomePod — open a socket, send a JSON-RPC, call an MQTT topic on `homepod.local`. Apple intentionally does not expose that surface. The HomePod is not an endpoint; it is the **Home Hub + Matter Controller + HomeKit Controller + Siri endpoint** for the Apple Home ecosystem on the LAN. It **discovers** accessories that advertise themselves on the local network via Bonjour/mDNS using the HomeKit Accessory Protocol (HAP) or Matter.
-
-The correct direction of flow is therefore:
-
-```text
-RuView / Seed
-      ↓                  (advertise HAP / Matter accessory on LAN)
-HomeKit / Matter accessory
-      ↓                  (mDNS discovery)
-HomePod
-      ↓                  (forwards to Apple Home automation graph)
-Apple Home ecosystem (iPhone, Watch, Mac, Siri, automations)
-```
-
-### 1.2 What we ship today and where it stops
-
-ADR-115 ships an **MQTT auto-discovery publisher** that talks to Home Assistant. ADR-116's `cog-ha-matter` Cognitum cog wraps that publisher into a Seed-installable artifact with mDNS, an embedded rumqttd broker, RuVector-backed thresholds, and an Ed25519 witness chain. ADR-122 explicitly extends the same publisher with the BFLD presence / identity-risk / Soul-Match topics so a Home Assistant install sees them as auto-discovered entities. The current path to HomePod therefore runs:
-
-```text
-RuView sensing-server ──► cog-ha-matter (MQTT HA-DISCO + HA-MIND)
-                              ↓
-                       Home Assistant broker
-                              ↓
-                       Home Assistant HomeKit Bridge add-on
-                              ↓
-                              HomePod
-```
-
-This works and the auto-discovery is real, but it introduces a hard dependency: an operator must run Home Assistant, install its HomeKit Bridge integration, and pair the bridge in the Apple Home app. The Seed alone does not appear in Apple Home.
-
-ADR-116 §P7 anticipated this — the `cog-ha-matter` `Cargo.toml` already carries a `matter = []` feature stub with the comment "matter-rs is added in P7; intentionally absent in P1 to keep the dep surface small until the SDK choice is validated." This ADR closes that box.
-
-### 1.3 Why now
-
-Three forces line up in 2026-05:
-
-1. **The BFLD privacy gate (ADR-118 / 120 / 121) is shipped.** Class-2 and class-3 frames are the only ones eligible to cross the Matter boundary (ADR-122 §2.4). Without that gate we could not safely expose RuView signals to a consumer ecosystem. With it, every Anonymous / Restricted event is safe to advertise as a HomeKit sensor.
-2. **`@ruvnet/rvagent` (ADR-124) is on npm.** The MCP surface that lets agents query RuView is live. A first-class Apple-Home presence widens RuView's reach from "agents that speak MCP" to "anyone with an iPhone and a HomePod" — the consumer wedge.
-3. **The Cognitum Seed Docker image now bundles `cog-ha-matter`** (this branch's `Dockerfile.rust` change, see #794) — the runtime where a HAP advertiser would live is finally a single-image deployment.
-
-### 1.4 Strategic framing
-
-The combination is asymmetric:
-
-| Layer | RuView contributes | Apple Home contributes |
-|-------|---------------------|------------------------|
-| Sensing | Passive RF presence, breathing, heart rate, fall risk, BFLD identity-risk, through-wall occupancy, longitudinal wellness | (none — Apple has no native RF sensing surface) |
-| Adoption | (limited — researcher-grade hardware today) | iPhone, Watch, Mac, HomePod, Apple TV installed base; consumer trust; voice; on-device intelligence |
-| UX | (utility CLI + a Web UI) | Home app, Siri, automation engine, notifications, accessibility |
-| Trust | Ed25519 witness chain, privacy class gate, local-first | Apple HomeKit local pairing, end-to-end encrypted, no cloud requirement |
-
-RuView supplies the **invisible cognition layer** Apple cannot provide on its own; Apple supplies the **distribution and UX** that an open sensing stack cannot bootstrap. Direct HAP integration removes the only structural barrier between those two layers — Home Assistant as a mandatory intermediary.
-
----
-
-## 2. Decision
-
-Ship a **native HomeKit / Matter accessory** in the Seed runtime so a freshly-imaged Cognitum Seed appears in the Apple Home app under `Add Accessory → More Options` with **zero Home-Assistant dependency**.
-
-Concretely:
-
-1. Add a `hap-accessory` workspace component that advertises a set of HomeKit characteristics over mDNS using HAP-1.1 (HomeKit Accessory Protocol).
-2. The component subscribes to `wifi-densepose-sensing-server`'s WebSocket / BFLD `MqttEvent` stream and maps each privacy-class-2/3 event onto a HomeKit characteristic update.
-3. The same Docker image that ships `sensing-server` and `cog-ha-matter` ships the new advertiser as a third entrypoint:
-
-```bash
-docker run --network host ruvnet/wifi-densepose:latest hap-accessory --privacy-mode
-```
-
-`--network host` (or a macvlan bridge) is required because HAP pairing depends on the accessory and the controller seeing each other's mDNS broadcasts on the same L2 segment — same constraint Home Assistant's HomeKit Bridge has.
-
-### 2.1 Two implementation tracks (decided here together; ship 2.1.a first)
-
-#### 2.1.a — **HAP-python sidecar** (fastest to ship, lands first)
-
-Add a tiny Python entrypoint `bridges/hap-python/ruview_hap.py` using the well-maintained [`HAP-python`](https://github.com/ikalchev/HAP-python) library. The Dockerfile gets a thin Python runtime stage; the entrypoint script polls `sensing-server` over HTTP and pushes characteristic updates into the HAP loop.
-
-```python
-# bridges/hap-python/ruview_hap.py (≈80 LOC)
-from pyhap.accessory import Accessory
-from pyhap.accessory_driver import AccessoryDriver
-from pyhap.const import CATEGORY_SENSOR
-import urllib.request, json, threading, time
-
-SENSING_URL = "http://127.0.0.1:3000/api/v1"
-
-class RuViewSensor(Accessory):
-    category = CATEGORY_SENSOR
-
-    def __init__(self, *args, **kwargs):
-        super().__init__(*args, **kwargs)
-        s_motion = self.add_preload_service('MotionSensor')
-        self.c_motion = s_motion.configure_char('MotionDetected')
-        s_occ = self.add_preload_service('OccupancySensor')
-        self.c_occ = s_occ.configure_char('OccupancyDetected')
-        s_temp = self.add_preload_service('TemperatureSensor')
-        self.c_temp = s_temp.configure_char('CurrentTemperature')
-        threading.Thread(target=self._poll, daemon=True).start()
-
-    def _poll(self):
-        while True:
-            try:
-                v = json.loads(urllib.request.urlopen(f"{SENSING_URL}/vitals").read())
-                self.c_motion.set_value(bool(v.get("motion_present")))
-                self.c_occ.set_value(int(bool(v.get("occupancy"))))
-                if "ambient_temp_c" in v:
-                    self.c_temp.set_value(v["ambient_temp_c"])
-            except Exception:
-                pass
-            time.sleep(1.0)
-
-driver = AccessoryDriver(port=51826)
-driver.add_accessory(accessory=RuViewSensor(driver, 'RuView Sense'))
-driver.start()
-```
-
-Pairing flow on the operator's iPhone:
-
-1. Open Apple Home → `Add Accessory` → `More Options`
-2. Tap `RuView Sense` (appears via mDNS automatically)
-3. Enter the setup code shown in `docker logs` (or pinned in env)
-4. Done — Siri can say "Hey Siri, is anyone in the living room?"
-
-Replace the `motion_present` / `occupancy` mappings progressively as RuView capabilities mature: BFLD class-2 `presence` event → `OccupancyDetected`; BFLD class-3 `identity_risk_score > threshold` → `SecuritySystemCurrentState`; `breathing_present` → `OccupancyDetected` (sleep room); `fall_risk` → a programmable switch that fires an Apple Home automation.
-
-Acceptance criteria for 2.1.a:
-
-- A1: `docker run ... hap-accessory --privacy-mode` advertises an `_hap._tcp` service that the HomePod sees within 30s (`dns-sd -B _hap._tcp local.` on a peer Mac shows `RuView Sense`).
-- A2: Pairing from Apple Home succeeds and the entity appears in the Home app under the configured room.
-- A3: `MotionDetected` flips within 2 s of an actual RF presence detection from a calibrated ESP32 source (`CSI_SOURCE=esp32`).
-- A4: Restarting the container preserves the pairing (HAP state persisted under `/var/lib/ruview-hap/`).
-- A5: Privacy: the entrypoint refuses to launch without `--privacy-mode` when `RUVIEW_BFLD_PRIVACY_CLASS` is unset, matching the structural invariant I1 (Raw BFI never exits the node — ADR-118 §2.2).
-
-#### 2.1.b — **Rust-native HAP** (single binary, closes ADR-116 P7)
-
-Wire one of the maintained Rust HAP crates into `cog-ha-matter` so the Python sidecar can be removed. Candidate crates:
-
-- [`hap`](https://crates.io/crates/hap) (Sebastian Schmidt) — last published 0.1.0-pre.16, MIT, active in 2024, supports HAP-1.1, has examples for `MotionSensor`, `LightBulb`, `OccupancySensor`. **First choice.**
-- [`accessory-server`](https://crates.io/crates/accessory-server) — narrower scope, fewer services
-- A future `matter-rs` crate from project-chip — once stable (CHIP SDK Rust bindings are still emerging in 2026-05)
-
-The `matter = []` feature stub in `cog-ha-matter/Cargo.toml` (added in ADR-116 P1) becomes:
-
-```toml
-[features]
-default = []
-mqtt = ["dep:rumqttc"]
-matter = ["dep:hap"]          # ADR-125 §2.1.b
-```
-
-with a runtime subcommand `cog-ha-matter --mode hap` that mirrors the Python advertiser's accessory set. Single binary, no Python interpreter in the image, matches the all-Rust ethos of the Cognitum Seed (ADR-116 §1.4).
-
-### 2.1.c — **Topology: one HAP bridge, N child accessories** (decided)
-
-The advertiser publishes a **single HAP bridge** (`RuView Sense`) that owns N child accessories — one per logical sensor surface (presence-bedroom, presence-office, vitals-bedroom, semantic-events, …). Operators pair the bridge once; child accessories appear automatically and can be re-assigned to rooms in the Apple Home app.
-
-The alternative — N independent accessories each advertised separately — was rejected. It forces operators to pair RuView once per room (`RuView Bedroom`, `RuView Office`, `RuView Wellness`, `RuView Presence`, …), which becomes messy after the second or third room, and diverges from how every reference HomeKit accessory in the Home app behaves (a Hue bridge with bulbs, an Eve Energy bridge, etc.). Single pairing also makes container restart / re-image trivial — one persisted pairing key, not N.
-
-### 2.1.d — **Identity-risk mapping: semantic events, not probabilistic surveillance** (decided)
-
-`identity_risk_score` is a continuous 0..1 confidence from the BFLD identity-features pipeline (ADR-121 §2.6). It must NOT cross the HomeKit boundary as a raw value, and must NOT be wired to `SecuritySystemCurrentState`. Apple-Home users read security-system state as **"intruder detected"** — exposing a probability there turns RuView into surveillance UX with all the false-positive blame that entails.
-
-Instead, the bridge exposes **thresholded semantic events** that read like ambient awareness, not threat detection:
-
-| Semantic event | HomeKit primitive | Trigger (illustrative) |
-|----------------|--------------------|-------------------------|
-| `Unknown Presence` | `MotionSensor` (programmable; stateful) | BFLD class-2 presence + no matching SoulMatch oracle hit (ADR-121 §2.6) for > 30 s |
-| `Unexpected Occupancy` | `OccupancySensor` (programmable) | Occupancy in a room outside its operator-defined "expected schedule" window |
-| `Unrecognized Activity Pattern` | Programmable `Switch` (stateful, momentary) | BFLD longitudinal drift gate (ADR-118 §2.3 / ADR-122 §2.7) fires Reject or Recalibrate |
-
-What stays internal:
-
-- Raw `identity_risk_score` (numeric 0..1) — never published
-- Soul-Signature match probability — never published
-- `rf_signature_hash` — never published (already enforced by ADR-118 §2.5 / ADR-122 §2.4 — this is the structural invariant restated at the HAP boundary)
-
-The naming is the contract. "Unknown Presence" is *who's-here-and-it's-fine-but-worth-noting*; an end user will write an automation ("turn on the porch light when Unknown Presence is detected after 9pm") without ever thinking it accuses anyone of being an intruder. That semantic framing is the difference between RuView becoming the calm-tech ambient substrate Apple Home needs vs. another paranoid surveillance widget.
-
-This is the part of the ADR that determines whether RuView's HomeKit story ages well or generates the wrong kind of headlines.
-
-### 2.2 What we DO NOT do in 2.1.a or 2.1.b
-
-- **No Matter (CHIP) controller code.** Matter is the long-term play but its SDK in Rust is not yet stable and the certificate provisioning is heavy. HAP-1.1 over Bonjour gives 95% of the UX for 10% of the complexity, today.
-- **No direct connection to the HomePod.** As the framing in §1.1 makes explicit, RuView never opens a socket to the HomePod. It advertises; the HomePod discovers.
-- **No iCloud account binding.** HAP pairing is local-network-only by design — RuView gets adoption without ever touching Apple ID, which is a privacy story we keep cleanly.
-- **No Class-0 (`Raw`) BFI exposure.** Structural invariant I1 (ADR-118 §2.2) holds. Only privacy-class-2 (Anonymous) and class-3 (Restricted) frames may be mapped onto HomeKit characteristics. The advertiser refuses to start in any other mode.
-
-### 2.3 Sequencing
-
-1. **P1** (this ADR-125 + 1 PR) — HAP-python sidecar (§2.1.a) lands as a separate entrypoint in the same Docker image. AC A1–A5 are gates.
-2. **P2** (follow-up PR after operator feedback from 5+ Apple Home pairings) — Rust-native HAP (§2.1.b). Replaces P1; P1's `bridges/hap-python/` becomes an archived reference implementation.
-3. **P3** (when matter-rs stabilizes) — Matter Controller path (still RuView-as-accessory, but using the Matter clusters rather than HAP-1.1 services). The Cognitum Cog gains a Matter QR code; pairing flow widens to "any Matter-capable controller, not just Apple."
-
----
-
-## 3. Consequences
-
-### 3.1 Wins
-
-- **Direct discoverability on Apple Home.** A Seed in the kitchen appears as `RuView Sense` in the Home app within seconds of `docker run`. No HA, no MQTT broker, no Home-Assistant HomeKit Bridge add-on.
-- **Siri natively answers RuView questions.** "Hey Siri, is anyone in the kitchen?" — the question reaches the HomeKit characteristic without any custom skill or HA template sensor.
-- **Apple-Home automations gain ambient triggers** RuView already produces (presence, breathing, fall, identity-risk) for free — they become first-class automation triggers in the Home app's UI.
-- **Strategically corrects RuView's distribution problem.** The Apple Home installed base is the largest consumer surface for HomeKit-grade accessories. RuView's sensing IP becomes addressable to that base without an SDK port.
-- **Closes ADR-116 §P7** — the long-flagged matter / HAP gap is now scheduled, not deferred indefinitely.
-
-### 3.2 Costs
-
-- **Python runtime in the Docker image (only for 2.1.a, until 2.1.b lands).** Adds ~30 MB to the runtime layer. Mitigation: P2 removes it; P1 isolates the Python dep in a side-stage so the sensing-server / cog-ha-matter layers stay clean.
-- **Network-mode constraint.** HAP pairing needs the controller and accessory on the same L2 segment (mDNS broadcasts). Operators who run RuView in a container behind a NAT/bridge need `--network host` or a macvlan — same constraint HA's HomeKit Bridge has, but worth documenting.
-- **Pairing state persistence.** HAP-python stores pairing data in a local file; that state must survive container restarts. Volume-mount `/var/lib/ruview-hap/` to a persistent location.
-
-### 3.3 Risks
-
-- **HAP-python maintenance.** The library is community-maintained; if it goes stale, P2 (Rust-native) absorbs the risk. 2.1.a is explicitly a stepping stone, not a long-term commitment.
-- **Apple's evolving requirements.** HomeKit Accessory Certification is required to put a HAP logo on hardware, not to ship a software accessory that pairs locally. RuView's container deployment is squarely in the "uncertified developer accessory" lane, which Apple explicitly permits for local pairing. Worth restating in the operator README.
-- **Privacy-class enforcement at the bridge boundary.** A bug that lets a class-0 BFI frame's data influence a HAP characteristic update would violate I1. Mitigation: the bridge consumes only the BFLD `MqttEvent` stream (which is already gated by `PrivacyGate` per ADR-120), never raw BFI; tests assert this in the same style as ADR-122 §4.3.
-
-### 3.4 Reversibility
-
-The advertiser is a separate entrypoint — pulling it out is `docker run` without the `hap-accessory` first-arg, identical to today's behavior. Zero impact on `sensing-server` and `cog-ha-matter` operations.
-
----
-
-## 4. Acceptance test (P1 / §2.1.a)
-
-```bash
-# 1. Start a sensing server (simulated source so the test runs anywhere)
-docker run -d --name rs -p 3000:3000 -e CSI_SOURCE=simulated \
-    ruvnet/wifi-densepose:latest
-
-# 2. Launch the HAP advertiser sidecar in privacy mode
-docker run -d --name hap --network host \
-    -v /var/lib/ruview-hap:/var/lib/ruview-hap \
-    -e RUVIEW_BFLD_PRIVACY_CLASS=2 \
-    ruvnet/wifi-densepose:latest hap-accessory --privacy-mode
-
-# 3. From a Mac on the same LAN: should see RuView Sense as HAP
-dns-sd -B _hap._tcp local.   # expect: "RuView Sense" within 30 s
-
-# 4. From iPhone Home app: Add Accessory → More Options → RuView Sense
-#    Enter setup code from `docker logs hap`
-#    Expect: pairing completes, entity appears in selected Room
-
-# 5. Cycle the container; re-open Home app: entity is still paired
-docker restart hap
-# Expect: no re-pairing prompt; characteristic updates resume
-```
-
----
-
-## 5. Open questions
-
-Two questions from the original draft were resolved during review (§2.1.c and §2.1.d). Genuinely-open questions that follow-up PRs will close:
-
-- **Setup-code derivation.** Derived deterministically from the Seed's Ed25519 witness key (so reinstalls re-use the same code, operator never re-enters), or random per launch (slightly better security, worse UX on container restarts)? Leaning deterministic + witness-key-derived; verify against Apple's HomeKit Accessory Protocol §5.6.5 (setup-code uniqueness) before committing.
-- **ESP32 / Cognitum-Seed-class hardware as a direct HAP advertiser** (not via the host appliance). The current decision parks the bridge on the host runtime; a future ADR can evaluate whether an ESP32-S3 with 8MB flash has enough headroom to run HAP-1.1 directly, which would remove the host appliance from the path entirely for single-room deployments.
-
----
-
-## 6. References
-
-- ADR-115 — Home-Assistant integration (HA-DISCO MQTT publisher)
-- ADR-116 — `cog-ha-matter` Seed cog (this is where the `matter` feature stub lives)
-- ADR-118 — BFLD beamforming-feedback layer (privacy gate + class invariants)
-- ADR-122 — BFLD RuView HA/Matter exposure (current MQTT-based bridge that this ADR's HAP-native path complements)
-- HomeKit Accessory Protocol Specification (Non-Commercial Version), Apple — https://developer.apple.com/apple-home/
-- HAP-python — https://github.com/ikalchev/HAP-python
-- `hap` (Rust) — https://crates.io/crates/hap

docs/adr/ADR-126-ruview-native-ha-port-master.md

@@ -1,362 +0,0 @@
-# ADR-126: HOMECORE — Native Rust + WASM + TypeScript port of Home Assistant
-
-| Field | Value |
-|-------|-------|
-| **Status** | Proposed |
-| **Date** | 2026-05-25 |
-| **Deciders** | ruv |
-| **Codename** | **HOMECORE** — native hub, RuView-first, WASM-safe, semantically aware |
-| **Relates to** | [ADR-115](ADR-115-home-assistant-integration.md) (HA-DISCO), [ADR-116](ADR-116-cog-ha-matter-seed.md) (HA-COG), [ADR-117](ADR-117-pip-wifi-densepose-modernization.md) (PIP-PHOENIX), [ADR-118](ADR-118-bfld-beamforming-feedback-layer-for-detection.md) (BFLD), [ADR-124](ADR-124-rvagent-mcp-ruvector-npm-integration.md) (SENSE-BRIDGE), [ADR-125](ADR-125-ruview-apple-home-native-hap-bridge.md) (APPLE-FABRIC) |
-| **Tracking issue** | TBD |
-| **Sub-ADRs** | ADR-127 through ADR-134 |
-
----
-
-## 1. Context
-
-### 1.1 Strategic position in 2026
-
-Home Assistant (HA) is the dominant open-source home automation hub with more than 500,000 active installs (ADR-115 §1.2 competitive scan). Every prior RuView integration decision has been made with HA as a given constraint: ADR-115 built an MQTT auto-discovery publisher to fit inside HA, ADR-116 packaged it as a Cognitum Seed cog, ADR-122 extended it with BFLD presence events, and ADR-125 layered a native HAP bridge on top of the same stack.
-
-This approach yields functioning integrations, but it positions RuView permanently as a **guest in someone else's hub**. The architectural limits of Python HA are not just cosmetic:
-
-| Limit | Impact on RuView's roadmap |
-|---|---|
-| **Single-process Python GIL** | CSI DSP pipeline, BFLD analysis, and ruvector semantic search cannot run concurrently inside the HA process; they must run as external services connected over MQTT or WebSocket, introducing a round-trip on every sensor update |
-| **Startup time (15–30 s on a Pi 5)** | The Cognitum Seed appliance restarts firmware-update-by-firmware-update; a 30 s hub startup on every OTA cycle is user-visible latency |
-| **Memory footprint (300 MB+ idle)** | On a Pi 5 with 8 GB this is tolerable; on a Pi Zero 2 W or an embedded board with 512 MB it precludes co-location with the sensing stack |
-| **No WASM safety boundary for integrations** | HA's 2,000+ community integrations are Python modules loaded directly into the HA process — one buggy integration can crash the hub or read arbitrary memory |
-| **Recorder is structural only** | SQLite + InfluxDB store state history as rows; there is no semantic search. "Show me when the porch light correlated with the bedroom CSI anomaly last week" requires manual SQL |
-| **Voice assistant is additive** | Assist (`homeassistant/components/assist_pipeline/`) was added in 2022–2023 and is well-designed, but intent matching is keyword-based, not embedding-based; ruflo LLM pipelines cannot natively plug in |
-| **Frontend is a 5 MB Lit-element bundle** | The dashboard compiles to ~5 MB of JavaScript; on low-bandwidth appliance UIs or Progressive-Web-App installs, this is perceptible load time |
-
-These are not HA's failures — they are Python architectural realities. For a generic home automation hub they are acceptable. For a hub where the core value proposition is **real-time RF sensing, AI-augmented automation, and edge-native deployment on constrained hardware**, they are ceilings.
-
-### 1.2 The opportunity
-
-Three recent ADR shipments create the inflection point:
-
-1. **ADR-117 (PIP-PHOENIX)** — `wifi-densepose==2.0.0a1` + `ruview==2.0.0a1` on PyPI as PyO3/maturin wheels, providing a Python developer surface over the Rust sensing core.
-2. **ADR-118 (BFLD)** — a complete beamforming feedback capture and privacy-risk scoring layer, proving that RuView's sensing stack can be a compliance instrument, not just a sensor.
-3. **ADR-124 (SENSE-BRIDGE)** — `@ruvnet/rvagent` on npm as a dual-transport MCP server, proving that the sensing stack can be expressed as a first-class AI-agent tool surface.
-
-The gap that remains: there is no hub that treats all of these as **native first-class features** rather than bolt-on integrations. HOMECORE fills that gap by porting the HA data model and API surface to Rust, replacing HA's Python internals with the RuView Rust crates, and wrapping community integrations in WASM sandboxes.
-
-### 1.3 What this ADR is *not*
-
-- Not a fork of the Python HA codebase. HOMECORE is a **clean-room Rust implementation** of HA's public API contracts and data model, not a line-by-line port.
-- Not a replacement of the existing sensing stack. `v2/crates/wifi-densepose-*` remain authoritative.
-- Not a deprecation of ADR-115/116/117/124/125. Those integrations continue to work with Python HA installs. HOMECORE is an additional deployment target, not a replacement mandate.
-- Not a Matter SDK full-implementation. ADR-125 handles Matter; HOMECORE consumes the Matter bridge via the existing `cog-ha-matter` surface.
-- Not a target for this quarter's sprint. HOMECORE is a multi-quarter initiative. This master ADR and its sub-ADRs define the architecture; implementation begins in P1.
-
----
-
-## 2. Decision
-
-Build **HOMECORE**: a native Rust + WASM + TypeScript implementation of the Home Assistant hub contract, integrated with the RuView sensing platform, the ruflo agent toolchain, and the ruvector vector layer.
-
-HOMECORE is wire-compatible with HA's REST and WebSocket APIs so that existing HA-native clients (the iOS/Android Home Assistant companion apps, HACS, Nabu Casa Cloud, and the HA voice satellite stack) operate without modification against a HOMECORE instance.
-
-HOMECORE is NOT a drop-in replacement on day one. The compatibility contract is phased (§6). The architecture is designed so that clients that work with HA today work with HOMECORE P3+.
-
-### 2.1 Codename rationale
-
-**HOMECORE** — the `core` of HA reimplemented at native speed, with the sensing stack at the center rather than at the periphery.
-
----
-
-## 3. Architecture overview
-
-```
-┌──────────────────────────────────────────────────────────────┐
-│                     HOMECORE process                          │
-│                                                               │
-│  ┌─────────────┐  ┌──────────────┐  ┌───────────────────┐  │
-│  │  homecore   │  │  homecore-   │  │  homecore-        │  │
-│  │  state      │  │  automation  │  │  recorder         │  │
-│  │  machine    │  │  engine      │  │  (SQLite +        │  │
-│  │  (ADR-127)  │  │  (ADR-129)   │  │  ruvector)        │  │
-│  └──────┬──────┘  └──────┬───────┘  │  (ADR-132)        │  │
-│         │                │          └───────────────────┘  │
-│  ┌──────▼──────────────────────────────────┐               │
-│  │              Event Bus (Tokio broadcast) │               │
-│  └──────┬──────────────────────────────────┘               │
-│         │                                                    │
-│  ┌──────▼──────────────────────────────────┐               │
-│  │     homecore-rest-websocket-api (ADR-130)│               │
-│  │     Axum server — HA wire-compat API     │               │
-│  └──────────────────────────────────────────┘               │
-│                                                               │
-│  ┌──────────────┐  ┌──────────────────────────────────────┐ │
-│  │ Integration  │  │  homecore-assist-ruflo (ADR-133)      │ │
-│  │ Plugin System│  │  ruflo agent orchestration            │ │
-│  │ (ADR-128)    │  │  ruvector intent embeddings           │ │
-│  │ WASM sandbox │  │  Wyoming protocol edge               │ │
-│  └──────────────┘  └──────────────────────────────────────┘ │
-│                                                               │
-│  ┌──────────────────────────────────────────────────────┐   │
-│  │  RuView sensing core (wifi-densepose-sensing-server) │   │
-│  │  CSI → presence / vitals / pose / BFLD / semantic    │   │
-│  └──────────────────────────────────────────────────────┘   │
-└──────────────────────────────────────────────────────────────┘
-          │ HA-compatible REST + WebSocket
-          ▼
-┌──────────────────────────┐
-│ homecore-frontend-ts-wasm │  (ADR-131)
-│ TypeScript + Rust→WASM   │
-│ SharedWorker state sync  │
-└──────────────────────────┘
-```
-
-The HOMECORE process is a single Tokio-based async Rust binary. The state machine and event bus are the authoritative core (ADR-127). Integrations run in WASM sandboxes that communicate with the core via a defined ABI (ADR-128). The automation engine runs Rust-native trigger evaluation with a WASM expression evaluator for templates (ADR-129). The REST/WebSocket API layer is Axum-based and wire-compatible with HA (ADR-130). The frontend is TypeScript with the state machine compiled to WASM running in a SharedWorker (ADR-131). Historical state is stored in SQLite with ruvector for semantic search (ADR-132). Voice/text assistance uses ruflo agent orchestration (ADR-133).
-
----
-
-## 4. Series map
-
-| ADR | Codename | Scope | Critical path? | Estimated P5-completion |
-|---|---|---|---|---|
-| **ADR-127** | HOMECORE-CORE | Rust state machine, entity registry, event bus, service registry (`homecore` crate) | **Yes — all others depend on it** | Q3 2026 |
-| **ADR-128** | HOMECORE-PLUGINS | WASM integration plugin system, cog substrate, manifest schema, hot-load | **Yes — needed before any integration can run** | Q3 2026 |
-| **ADR-129** | HOMECORE-AUTO | Automation engine, YAML parser, Jinja2-equivalent WASM evaluator, blueprints | Yes (automation is core to HA UX) | Q4 2026 |
-| **ADR-130** | HOMECORE-API | REST + WebSocket wire-compat API, Axum server, HA companion app support | **Yes — needed for client compat** | Q3 2026 |
-| **ADR-131** | HOMECORE-UI | TS + Rust→WASM frontend, SharedWorker state sync, Material 3 design lang | No (can run alongside Python HA UI initially) | Q1 2027 |
-| **ADR-132** | HOMECORE-RECORDER | SQLite recorder + ruvector semantic history, schema migration | No (structural recorder ships before ruvector layer) | Q4 2026 |
-| **ADR-133** | HOMECORE-ASSIST | ruflo agent voice assistant, ruvector intent matching, Wyoming edge path | No | Q4 2026 |
-| **ADR-134** | HOMECORE-MIGRATE | Migration tooling from Python HA, config-entry parser, side-by-side mode | No (needed for user adoption) | Q1 2027 |
-
-**Critical path**: ADR-127 → ADR-128 → ADR-130 must land in that order. ADR-129, ADR-132, ADR-133, ADR-131, ADR-134 can proceed in parallel once the core triad is stable.
-
----
-
-## 5. Cross-cutting decisions
-
-The following decisions govern all 8 sub-ADRs and are not repeated in each.
-
-### 5.1 Governance via RUVIEW-POLICY (ADR-124 §4.1a)
-
-Every HOMECORE component that returns biometric data (presence, HR/BR, pose keypoints, BFLD identity-risk) MUST route through the RUVIEW-POLICY layer defined in ADR-124 §4.1a. The policy store is the same `~/.config/rvagent/policy.json` used by `@ruvnet/rvagent`. HOMECORE is a first-class policy principal — its agent ID in the policy store is `homecore`.
-
-### 5.2 Semantic memory via ruvector
-
-Historical state is not only stored in SQLite rows (structural). Every state-changed event is also embedded via ruvector (using the same napi-rs bindings as ADR-124) and indexed in an HNSW store for semantic search. The `homecore-recorder` crate (ADR-132) owns this dual-write. Queries like "when did the living room motion last exceed baseline?" become vector-nearest-neighbour searches, not SQL BETWEEN clauses.
-
-### 5.3 Agent orchestration via ruflo
-
-The automation engine (ADR-129) and the assist pipeline (ADR-133) both have an optional ruflo-agent mode where complex conditions or voice intents are routed to a ruflo agent (using the `mcp__claude-flow__*` tool namespace) for LLM-backed resolution. This is gated by RUVIEW-POLICY: a policy grant is required before HOMECORE sends any state-history context to a ruflo agent.
-
-### 5.4 Witness and audit via Ed25519 chain (ADR-028 pattern)
-
-Every state transition that crosses a privacy boundary (e.g. BFLD identity-risk score elevated, a biometric entity state published) is logged to an Ed25519 witness chain using the same structure as ADR-028 §3. The witness bundle is exportable for regulated deployments (care homes, hotels, shared offices).
-
-### 5.5 Crate naming and workspace placement
-
-All HOMECORE crates live in `v2/crates/homecore-*/`:
-
-| Crate | ADR |
-|---|---|
-| `homecore` | ADR-127 |
-| `homecore-plugins` | ADR-128 |
-| `homecore-automation` | ADR-129 |
-| `homecore-api` | ADR-130 |
-| `homecore-recorder` | ADR-132 |
-| `homecore-assist` | ADR-133 |
-| `homecore-migrate` | ADR-134 |
-
-The frontend (`homecore-frontend`) is not a Rust crate — it is an npm package at `npm/homecore-frontend/`, mirroring the `npm/rvagent/` pattern from ADR-124.
-
-### 5.6 HA wire-compatibility baseline
-
-The HOMECORE REST and WebSocket API must be **compatible with HA 2025.1** as the baseline. HA 2025.1 introduced schema version 48 in the recorder. The API surface to replicate is:
-
-- REST: `homeassistant/components/api/__init__.py` — 24 endpoints
-- WebSocket: `homeassistant/components/websocket_api/` — the `connection.py` + `commands.py` handler pattern, the auth handshake, and the `subscribe_events` / `subscribe_trigger` / `call_service` commands
-- Auth: `homeassistant/auth/` — the long-lived access token model
-- Config entries: `.storage/core.config_entries` JSON schema (versioned, auto-migrated)
-
-### 5.7 "Do not port" list
-
-The following HA subsystems are explicitly **not** ported to HOMECORE:
-
-| HA subsystem | Reason not ported | HOMECORE replacement |
-|---|---|---|
-| **SUPERVISOR** (`homeassistant/supervisor/`) | Manages add-on containers and OS upgrades. HOMECORE runs on a standard Linux/Pi OS managed by systemd. | ruflo + systemd service units + OTA via the existing Cognitum Seed OTA registry (ADR-116 §2.2) |
-| **Home Assistant OS** (HAOS) | A custom embedded Linux image. HOMECORE targets standard Debian/Ubuntu on Pi 5 and standard Docker. | Standard OS + Docker Compose or systemd |
-| **Nabu Casa Cloud** | Paid remote-access and Alexa/Google integration service. HOMECORE uses Tailscale for remote access and `@ruvnet/rvagent` for AI integration. | Tailscale + ADR-107 federation + SENSE-BRIDGE |
-| **Add-on store** (Supervisor add-ons) | Docker container management. | Cognitum Seed cog registry (ADR-102) |
-| **Legacy YAML-only integrations** (pre-config-flow, ~500 of 2,000) | These require Python `setup_platform` (deprecated in HA 2024.x). Only config-flow integrations (`async_setup_entry`) are ported. | Document upgrade path; unported integrations can run via `homecore-migrate` bridge mode |
-| **Analytics / Nabu Casa telemetry** | Optional cloud telemetry. | Not replicated. HOMECORE is local-only. |
-| **Home Assistant Yellow / Green hardware** | Specific hardware. HOMECORE targets Cognitum Seed, Pi 5, and x86_64. | Cognitum Seed hardware |
-
----
-
-## 6. Compatibility contract
-
-### 6.1 What works on day one (P3, wire-compat API stable)
-
-| Client | Works? | Notes |
-|---|---|---|
-| **HA iOS companion app** | Yes | Connects to `/api/websocket`; authenticates with long-lived token; subscribes to state events |
-| **HA Android companion app** | Yes | Same as iOS |
-| **Home Assistant Dashboard (frontend)** | Yes (HA frontend served against HOMECORE API) | Until HOMECORE-UI (ADR-131) ships, serve the Python HA frontend binary against the HOMECORE API |
-| **HACS** | Partial | HACS uses the WS API for integration management; custom component loading requires HOMECORE-PLUGINS (ADR-128) |
-| **Node-RED HA integration** | Yes | Uses REST + WS API; wire-compat |
-| **`homeassistant` Python client library** | Yes | Pure REST/WS client |
-| **`ha-mqtt-discoverable` Python library** | Yes | Publishes MQTT discovery; HOMECORE consumes the same topics |
-| **ESPHome devices** | Yes | ESPHome native API or MQTT; HOMECORE speaks both |
-| **Nabu Casa Cloud** | **No** | Nabu Casa uses a proprietary remote-access tunnel to `nabucasa.com`. HOMECORE does not integrate with the Nabu Casa cloud proxy. Replace with Tailscale. |
-| **M5Stack ATOM Echo / voice satellites** | Yes (P4) | Wyoming protocol is HOMECORE-ASSIST (ADR-133) scope |
-| **HACS custom cards** | Yes (after ADR-131 P3) | Custom cards are served via the same `/hacsfiles/` static route |
-
-### 6.2 What breaks and why
-
-| HA feature | HOMECORE status | Reason |
-|---|---|---|
-| Nabu Casa remote access | Not supported | Proprietary tunnel; replace with Tailscale |
-| HA Supervisor add-ons | Not supported | No container manager in HOMECORE |
-| HAOS OTA updates | Not supported | HOMECORE runs on standard OS |
-| Python custom integrations (non-WASM) | Not supported | WASM sandbox only; Python integrations cannot run natively |
-| Legacy `setup_platform` integrations | Not supported | Config-flow (`async_setup_entry`) only |
-| HA Cloud TTS/STT (Nabu Casa) | Not supported | Use Whisper + Piper locally |
-| HA Cloud Alexa/Google skill | Not supported | Use ruflo agent instead |
-
----
-
-## 7. Phase roadmap
-
-```
-Q3 2026    Q4 2026    Q1 2027    Q2 2027
-   P1         P2         P3         P4         P5
-scaffold   state+API  wire-compat  plugins+    full
-           core       HA clients  automation  HOMECORE
-```
-
-### P1 — Scaffold (Q3 2026, 2 weeks)
-
-- [ ] Create `v2/crates/homecore/` workspace member, empty state machine skeleton.
-- [ ] Create `v2/crates/homecore-api/` skeleton, Axum server on port 8123 (HA default).
-- [ ] Create `npm/homecore-frontend/` skeleton.
-- [ ] CI: `cargo check -p homecore -p homecore-api --no-default-features` green.
-- [ ] ADR-134 migration tool parses one `.storage/core.config_entries` fixture.
-
-### P2 — State machine + API core (Q3 2026, 4 weeks)
-
-- [ ] ADR-127 state machine: entity registry, state machine, event bus (Tokio broadcast), service registry.
-- [ ] ADR-130 API: REST endpoints, WebSocket auth handshake, `subscribe_events`, `call_service`.
-- [ ] ADR-132 recorder: SQLite schema (HA schema version 48 compatible), state write path.
-- [ ] Integration test: HA companion app authenticates and receives state updates.
-
-### P3 — Wire-compat + plugin scaffold (Q3–Q4 2026, 6 weeks)
-
-- [ ] ADR-128 plugin system: WASM sandbox, manifest schema, first ported integrations (MQTT, HTTP).
-- [ ] ADR-130 API: remaining WS commands, HACS support.
-- [ ] ADR-134 migration: reads `automations.yaml`, `secrets.yaml`, config entries.
-- [ ] ADR-132 recorder: ruvector dual-write, semantic search API.
-
-### P4 — Automation + assist (Q4 2026, 4 weeks)
-
-- [ ] ADR-129 automation engine: YAML parser, trigger evaluation, WASM expression evaluator.
-- [ ] ADR-133 assist: ruflo agent orchestration, ruvector intent matching.
-- [ ] ADR-131 frontend P1: TypeScript shell, WASM state machine in SharedWorker.
-
-### P5 — Full HOMECORE (Q1 2027, 6 weeks)
-
-- [ ] ADR-131 frontend: complete UI parity with HA Lovelace, custom cards.
-- [ ] ADR-134 migration: side-by-side mode, one-click cutover.
-- [ ] Full compatibility test suite against HA iOS/Android companion apps.
-- [ ] Pi 5 performance benchmarks: startup < 1 s, idle < 50 MB RAM.
-
----
-
-## 8. Alternatives rejected
-
-### Alt-A: Contribute RuView sensing features upstream to Python HA
-
-Add the HOMECORE features (WASM plugins, ruvector recorder, ruflo assist) as Python HA components via PRs to `home-assistant/core`.
-
-**Rejected because**: HA's architecture board has strict policies against adding new runtimes (WASM, Rust FFI) to the core process. The GIL bottleneck cannot be resolved from within Python HA. CSI DSP at 100 Hz frame rate inside a Python process is not feasible. This path cedes architectural control permanently.
-
-### Alt-B: Thin Rust wrapper that calls into Python HA via PyO3
-
-Keep Python HA as the runtime; expose RuView sensing primitives via PyO3 bindings so they run at native speed inside the Python HA process.
-
-**Rejected because**: the GIL is not resolved by PyO3 calls — the HA event loop still serialises all state changes. Startup time and memory footprint are unchanged. WASM plugin safety is unchanged. This is a tactical optimisation, not an architectural solution.
-
-### Alt-C: OpenHAB or Domoticz as the base
-
-Port RuView's sensing stack on top of an alternative hub (openHAB/Java, Domoticz/C++).
-
-**Rejected because**: neither has HA's community network effects, companion app ecosystem, or HACS plugin catalog. A clean-room Rust implementation preserves the HA compatibility contract (the most valuable asset) without inheriting the Python runtime limitations.
-
-### Alt-D: Extend the existing `wifi-densepose-sensing-server` into a full hub
-
-Add automation, entity registry, and recorder features directly to the existing Axum sensing server.
-
-**Rejected because**: the sensing server is a purpose-built single-concern binary (CSI → MQTT/WebSocket). Expanding it into a hub would violate the single-responsibility principle and couple hub release cycles to firmware release cycles. HOMECORE is a separate crate family that depends on but does not modify the sensing server.
-
----
-
-## 9. Top-level risks
-
-| Risk | Likelihood | Severity | Mitigation |
-|---|---|---|---|
-| **API drift** — HA's REST/WS API evolves; HOMECORE must track it | High | High | Pin to HA 2025.1 baseline (schema 48); run the HA companion app integration tests against every HOMECORE release; ADR-130 owns the compat matrix |
-| **WASM sandbox performance** — plugin calls through the WASM boundary add latency | Medium | Medium | Benchmark plugin roundtrip on Pi 5 before P3; reject if >5 ms; WASM3/Wasmtime both have sub-1 ms call overhead for compute-light integrations |
-| **Core triad dependency** — ADR-128 and ADR-130 cannot start until ADR-127 is stable | High | High | ADR-127 is P2 start; freeze the state machine public API (entity_id, state, attributes, last_changed) before ADR-128 begins |
-| **ruvector semantic recorder** — dual-write to SQLite + HNSW may impact write throughput under high-frequency sensing | Medium | High | ruvector writes are async (non-blocking tokio task); SQLite write is the hot path; benchmark at 100 state/s on Pi 5 before ADR-132 ships |
-| **Nabu Casa gap** — users who depend on HA Cloud remote access have no HOMECORE replacement at P3 | High | Medium | Document Tailscale as the replacement prominently; provide ADR-134 migration wizard that detects Nabu Casa usage and offers Tailscale setup |
-| **Frontend bundle size** — replicating the HA Lovelace card ecosystem in TS+WASM is a significant engineering effort | High | High | ADR-131 is off-critical-path; serve HA's Python frontend against the HOMECORE API until ADR-131 P3 ships |
-| **License** — HA is Apache 2.0; the wire protocol is unencumbered; HA's UI assets and card components have separate licenses | Low | High | Clean-room Rust implementation does not use HA source; HA frontend is served as a binary (not embedded); review license before ADR-131 ships any reimplemented component |
-
----
-
-## 10. Open questions
-
-**Q1** (ADR-127): Should the HOMECORE state machine use a `DashMap<EntityId, State>` for lock-free concurrent reads, or a `RwLock<HashMap<EntityId, State>>` for simpler reasoning? The answer affects every integration's write pattern.
-
-**Q2** (ADR-128): Does the WASM sandbox use Wasmtime (Cranelift JIT, ~5 MB binary) or WASM3 (interpreter, ~50 kB binary)? On a Pi 5 WASM3 is sufficient for integration logic; Wasmtime matters if integrations need near-native DSP speed.
-
-**Q3** (ADR-130): The HA WebSocket API uses numeric IDs for command/response correlation. The HA 2025.1 baseline adds `subscribe_trigger` as a first-class WS command. Are there any commands in the HA companion app that require a newer baseline?
-
-**Q4** (ADR-132): The ruvector HNSW index for state history — what embedding dimension represents a state snapshot? Options: (a) embed only numeric sensor states (scalar embedding), (b) embed `{entity_id, state, attributes}` as a text embedding via a local small model, (c) use a fixed schema encoding. The answer determines the semantic query fidelity.
-
-**Q5** (ADR-134): HA's `.storage/core.config_entries` format is versioned but undocumented; it is hand-engineered from reverse-engineering the Python `StorageCollection` class in `homeassistant/helpers/storage.py`. Is this format stable enough to parse without upstream documentation, or does HOMECORE need to maintain a version matrix?
-
----
-
-## 11. References
-
-### This repo
-
-- `docs/adr/ADR-115-home-assistant-integration.md` — HA-DISCO MQTT publisher; 21-entity surface; semantic primitives; competitive comparison table
-- `docs/adr/ADR-116-cog-ha-matter-seed.md` — HA-COG Seed cog; cog packaging precedent (ADR-101)
-- `docs/adr/ADR-117-pip-wifi-densepose-modernization.md` — PIP-PHOENIX PyO3 bindings; Python client surface
-- `docs/adr/ADR-118-bfld-beamforming-feedback-layer-for-detection.md` — BFLD master; privacy class enforcement
-- `docs/adr/ADR-124-rvagent-mcp-ruvector-npm-integration.md` — SENSE-BRIDGE; RUVIEW-POLICY §4.1a; multi-modal normalization §11.3
-- `docs/adr/ADR-125-ruview-apple-home-native-hap-bridge.md` — APPLE-FABRIC HAP bridge
-- `v2/crates/wifi-densepose-sensing-server/src/main.rs` — Axum server architecture; bearer auth pattern
-- `v2/crates/wifi-densepose-ruvector/src/viewpoint/` — cross-viewpoint fusion (attention, coherence, geometry, fusion modules)
-- `CLAUDE.md` — Project topology (hierarchical-mesh, 15 agents), ESP32 hardware table, crate publishing order
-
-### HA upstream
-
-- `homeassistant/core.py` — `HomeAssistant`, `StateMachine`, `EventBus`, `ServiceRegistry`, `Config`
-- `homeassistant/helpers/entity_registry.py` — `EntityRegistry`, `RegistryEntry`
-- `homeassistant/helpers/entity.py` — `Entity`, `async_write_ha_state`, entity lifecycle
-- `homeassistant/components/api/__init__.py` — REST API handler (24 routes)
-- `homeassistant/components/websocket_api/` — `connection.py` auth handshake; `commands.py` WS commands
-- `homeassistant/components/recorder/` — SQLite schema; `migration.py` schema version 48
-- `homeassistant/components/assist_pipeline/` — voice/text pipeline; Wyoming protocol
-- `homeassistant/helpers/template.py` — Jinja2 template engine customisation
-- `homeassistant/components/automation/__init__.py` — automation trigger/condition/action model
-- `homeassistant/helpers/storage.py` — `.storage/*.json` persistence; `StorageCollection`
-- `homeassistant/auth/` — long-lived access token model; `AuthManager`
-
-### External
-
-- [HA Developer Docs — Core Architecture](https://developers.home-assistant.io/docs/architecture/core/) — state machine, event bus, service registry overview
-- [HA Developer Docs — WebSocket API](https://developers.home-assistant.io/docs/api/websocket/) — WS command catalog
-- [DeepWiki HA core — Entity and Registry Management](https://deepwiki.com/home-assistant/core/2.2-entity-and-registry-management) — entity lifecycle
-- [DeepWiki HA core — Data Management](https://deepwiki.com/home-assistant/core/3-data-management) — recorder schema version 48
-- [HA recorder integration](https://www.home-assistant.io/integrations/recorder/) — SQLite default; schema migration overview

docs/adr/ADR-127-homecore-state-machine-rust.md

@@ -1,193 +0,0 @@
-# ADR-127: HOMECORE-CORE — Rust state machine, entity registry, event bus, service registry
-
-| Field | Value |
-|-------|-------|
-| **Status** | Proposed |
-| **Date** | 2026-05-25 |
-| **Deciders** | ruv |
-| **Codename** | **HOMECORE-CORE** |
-| **Relates to** | [ADR-126](ADR-126-ruview-native-ha-port-master.md) (HOMECORE master), [ADR-028](ADR-028-esp32-capability-audit.md) (witness chain), [ADR-124](ADR-124-rvagent-mcp-ruvector-npm-integration.md) (RUVIEW-POLICY) |
-| **Tracking issue** | TBD |
-
----
-
-## 1. Context
-
-`homeassistant/core.py` is the 3,200-line heart of Python Home Assistant. It defines five objects that every other HA component depends on:
-
-1. **`HomeAssistant`** — the runtime coordinator, event loop holder, and service locator. Contains `bus` (EventBus), `states` (StateMachine), `services` (ServiceRegistry), `config` (Config), `components` (loaded component set).
-2. **`EventBus`** — publish/subscribe event dispatch. `async_fire(event_type, event_data)` dispatches to all registered listeners. Listener registration is `async_listen(event_type, callback)`. Wildcard listener is `MATCH_ALL`. Event data is a plain Python dict.
-3. **`StateMachine`** — an in-memory dictionary from `entity_id` (str) to `State`. `async_set(entity_id, new_state, attributes)` writes and fires `state_changed`. `get(entity_id)` reads. `async_remove(entity_id)` fires `state_removed`. States are immutable snapshots with `last_changed`, `last_updated`, `context`.
-4. **`ServiceRegistry`** — maps `(domain, service_name)` → async handler function. `async_call(domain, service, data)` fires a `call_service` event, waits for the registered handler. `async_register(domain, service, handler, schema)` registers a handler with optional voluptuous schema validation.
-5. **`EntityRegistry`** (`homeassistant/helpers/entity_registry.py`) — persists metadata (enabled/disabled, name override, area assignment, device ID, unique ID, entity category) across restarts. Stored in `.storage/core.entity_registry`. Loaded at startup; written on every change.
-
-The **DeviceRegistry** (`homeassistant/helpers/device_registry.py`, stored in `.storage/core.device_registry`) tracks physical devices that entities belong to. Entities link to devices via `device_id`; devices link to config entries via `config_entry_id`.
-
-### 1.1 Why these specific files matter
-
-Python HA's `core.py` is a single-process Python 3.12 module that:
-- Holds the asyncio event loop directly
-- Serialises all state-changed writes through `asyncio.Lock`
-- Fires event listeners in the same event loop iteration that fired the event (listeners cannot block)
-- Is single-threaded by design — concurrent writes to the state machine are impossible without explicit async primitives
-
-For HOMECORE the same semantic requirements apply, but the implementation must support:
-- **Concurrent reads** from dozens of integration WASM sandboxes polling current state
-- **High-frequency writes** from the RuView sensing stack (CSI at 100 Hz; state updates at up to 20 Hz per entity)
-- **Ordered delivery** of state_changed events to automation triggers (ADR-129) and recorder (ADR-132) subscribers
-- **Zero-copy reads** where possible for the REST API (ADR-130) path
-
----
-
-## 2. Decision
-
-Implement the `homecore` Rust crate at `v2/crates/homecore/` with the following design.
-
-### 2.1 State machine: `DashMap` + Tokio broadcast
-
-The primary state store is a `DashMap<EntityId, Arc<State>>` where:
-- `EntityId` is a validated newtype around `String` (validated format: `domain.name`)
-- `State` is a frozen struct: `entity_id`, `state` (String), `attributes` (serde_json::Value), `last_changed` (DateTime<Utc>), `last_updated` (DateTime<Utc>), `context` (Context)
-- `Arc<State>` allows zero-copy cloning for readers while the writer atomically replaces the map entry
-
-State changes are published to a `tokio::sync::broadcast::Sender<StateChangedEvent>` channel (capacity: 4,096 events). Any number of receivers subscribe — the recorder, automation engine, WebSocket subscriber handler, and ruvector dual-write task all hold independent receivers. Slow receivers that fall behind by 4,096 events receive a `RecvError::Lagged` and must re-sync from the current state map.
-
-### 2.2 Event bus: typed + untyped channels
-
-HOMECORE distinguishes two event categories:
-
-1. **System events** (typed): `StateChanged`, `ServiceCall`, `ComponentLoaded`, `PlatformDiscovered`, `HomeAssistantStart`, `HomeAssistantStop`. These use Tokio typed broadcast channels with zero allocation on the read path.
-2. **Integration events** (untyped): integrations fire arbitrary event types (`event_type: String`, `event_data: serde_json::Value`). These use a single `broadcast::Sender<DomainEvent>` where `DomainEvent` carries the type string and data blob. This mirrors HA's `EventBus.async_fire()`.
-
-### 2.3 Service registry: `HashMap` + mpsc dispatch
-
-Services are registered as `(Domain, ServiceName) → ServiceHandler` where `ServiceHandler` is a `Box<dyn Fn(ServiceCall) -> BoxFuture<ServiceResponse> + Send + Sync>`. The registry lives in a `tokio::sync::RwLock<HashMap<(Domain, ServiceName), ServiceHandler>>`. Service calls go through the event bus (fire `call_service`) and are dispatched to the handler by an internal router task. This matches HA's indirection: `hass.services.async_call(domain, service, data)` does not call the handler directly; it fires an event.
-
-### 2.4 Entity registry: persisted metadata sidecar
-
-The entity registry is a `RwLock<HashMap<EntityId, EntityEntry>>` backed by an async JSON writer that flushes to `.homecore/storage/core.entity_registry` on every write. The schema matches HA's `core.entity_registry` schema (version 13 as of HA 2025.1) so ADR-134 migration can read both formats interchangeably.
-
-`EntityEntry` fields mirrored from HA:
-- `entity_id: EntityId`
-- `unique_id: Option<String>`
-- `platform: String`
-- `name: Option<String>` (user override)
-- `disabled_by: Option<DisabledBy>` (user, integration, config_entry)
-- `area_id: Option<AreaId>`
-- `device_id: Option<DeviceId>`
-- `entity_category: Option<EntityCategory>` (config, diagnostic)
-- `config_entry_id: Option<ConfigEntryId>`
-
-### 2.5 Device registry: parallel sidecar
-
-`DeviceRegistry` mirrors HA's `core.device_registry` schema (version 13). Devices are identified by a set of `(id_type, id_value)` tuples (the `identifiers` field), which matches HA's pattern of accepting multiple identifier types per device (MAC address, serial number, integration-specific ID).
-
----
-
-## 3. HA-side reference table
-
-| HA module / file | What it does | HOMECORE preserves | Changes | Drops |
-|---|---|---|---|---|
-| `homeassistant/core.py` `StateMachine` | In-memory state store, fire `state_changed` | Same semantics: immutable snapshots, `last_changed`, `last_updated`, `context` | `DashMap` instead of asyncio-locked `dict`; `broadcast::Sender` instead of asyncio callbacks | Python asyncio coupling |
-| `homeassistant/core.py` `EventBus` | Pub/sub event dispatch | `MATCH_ALL` listener; per-type listener; event data dict | Typed system events + untyped domain events; no Python dict — use `serde_json::Value` | `@callback` decorator, HassJob abstraction |
-| `homeassistant/core.py` `ServiceRegistry` | Register/call services | Same `(domain, service)` key structure; schema validation | Schema validation via `serde` `Deserialize` trait instead of voluptuous | voluptuous, Python type coercions |
-| `homeassistant/core.py` `HomeAssistant` | Runtime coordinator / service locator | State machine + event bus + services accessible on one struct | Struct with `Arc<HomeCoreInner>` for cheap cloning across tasks | asyncio event loop holder, Python executor |
-| `homeassistant/helpers/entity_registry.py` | Persist entity metadata | All fields listed in §2.4; file format compatible | Async tokio I/O; no Python pickle | Python-specific persistence helpers |
-| `homeassistant/helpers/device_registry.py` | Persist device metadata | `identifiers`, `connections`, `manufacturer`, `model`, `name`, `via_device_id` | Async tokio I/O | — |
-| `homeassistant/helpers/entity.py` | Entity base class | `entity_id`, `state`, `attributes`, `unique_id`, `device_info`, async_write_ha_state semantics | Trait `HomeCoreEntity` instead of class | Python MRO, `@property` decorators |
-| `homeassistant/helpers/event.py` | Convenience event helpers | `async_track_state_change`, `async_track_time_interval` (as Rust timer tasks) | Rust closures / async tasks | Python asyncio task wrappers |
-
----
-
-## 4. Public API parity table
-
-| HA Python surface | HOMECORE Rust equivalent |
-|---|---|
-| `hass.states.get(entity_id)` | `hass.states.get(&entity_id) -> Option<Arc<State>>` |
-| `hass.states.async_set(entity_id, state, attributes)` | `hass.states.set(entity_id, state, attributes).await` |
-| `hass.states.async_remove(entity_id)` | `hass.states.remove(&entity_id).await` |
-| `hass.states.async_all(domain_filter)` | `hass.states.all(domain_filter) -> Vec<Arc<State>>` |
-| `hass.bus.async_fire(event_type, data)` | `hass.bus.fire(event_type, data).await` |
-| `hass.bus.async_listen(event_type, callback)` | `hass.bus.subscribe(event_type) -> broadcast::Receiver<DomainEvent>` |
-| `hass.services.async_call(domain, service, data)` | `hass.services.call(domain, service, data).await -> ServiceResponse` |
-| `hass.services.async_register(domain, service, handler, schema)` | `hass.services.register(domain, service, handler)` |
-| `hass.services.has_service(domain, service)` | `hass.services.has(domain, service) -> bool` |
-| `entity_registry.async_get(entity_id)` | `entity_registry.get(&entity_id) -> Option<&EntityEntry>` |
-| `entity_registry.async_update_entity(entity_id, **kwargs)` | `entity_registry.update(entity_id, patch).await` |
-| `device_registry.async_get_device(identifiers)` | `device_registry.get_by_identifiers(identifiers) -> Option<&DeviceEntry>` |
-| `Context(user_id, parent_id)` | `Context { id: Uuid, parent_id: Option<Uuid>, user_id: Option<UserId> }` |
-
----
-
-## 5. Phased implementation plan
-
-### P1 — Skeleton (2 weeks)
-
-- [ ] Create `v2/crates/homecore/` workspace member with `Cargo.toml`.
-- [ ] Define `State`, `EntityId`, `Domain`, `ServiceName`, `Context`, `DomainEvent` types.
-- [ ] `StateMachine`: `DashMap` + broadcast channel; `set()`, `get()`, `remove()`, `all()`.
-- [ ] `EventBus`: typed broadcast for system events + untyped broadcast for domain events.
-- [ ] Unit tests: 50 state writes/reads with concurrent readers; verify broadcast delivery.
-
-### P2 — Service registry + entity registry (2 weeks)
-
-- [ ] `ServiceRegistry`: `RwLock<HashMap>` + mpsc dispatch task.
-- [ ] `EntityRegistry`: in-memory + JSON async writer to `.homecore/storage/core.entity_registry`.
-- [ ] `DeviceRegistry`: in-memory + JSON async writer to `.homecore/storage/core.device_registry`.
-- [ ] Serialization: `serde` with `#[serde(rename_all = "snake_case")]`; schema version 13 header written to match HA format.
-- [ ] Unit tests: register service, call service, verify handler invoked; persist and reload entity registry.
-
-### P3 — Trait surface for integrations (1 week)
-
-- [ ] `HomeCoreEntity` trait: `entity_id()`, `unique_id()`, `name()`, `device_info()`, `state()`, `attributes()`, `async_write_ha_state(&hass)`.
-- [ ] `Platform` trait: `async_setup_entry(hass, config_entry) -> Result<()>`.
-- [ ] `ConfigEntry` struct mirroring HA's `ConfigEntry` fields.
-- [ ] Integration test: a minimal test integration registers an entity, writes a state, reads it back from the state machine.
-
-### P4 — Performance validation (1 week)
-
-- [ ] Benchmark: 1,000 state writes/s on Pi 5; measure latency at p50/p95/p99.
-- [ ] Benchmark: 100 concurrent WS subscribers each receiving all state_changed events; measure delivery lag.
-- [ ] Benchmark: broadcast channel saturation test at 4,096 capacity; verify `RecvError::Lagged` handling.
-- [ ] Acceptance criterion: p99 state write latency < 1 ms on Pi 5 (8 GB, 4 cores).
-
----
-
-## 6. Risks
-
-| Risk | Likelihood | Severity | Mitigation | Cross-ADR impact |
-|---|---|---|---|---|
-| **Broadcast channel lag** — a slow subscriber (e.g. ruvector recorder write) lags behind and drops events | Medium | High | Give recorder its own channel separate from WS subscribers; recorder is the hot path, give it highest priority | ADR-132: recorder write path must be designed to keep up with 100 Hz state writes |
-| **DashMap contention** — shard count default (16) may be too low for 100 Hz writes on a single entity | Low | Medium | Increase DashMap shard count to 64; benchmark before ADR-130 integration | ADR-130: REST API reads state directly from DashMap — must be lock-free |
-| **Entity registry format drift** — HA updates `.storage/core.entity_registry` schema; HOMECORE falls behind | Medium | Medium | Pin to schema version 13; version-check on load; fail loudly on unknown version | ADR-134: migration tool reads HA entity registry — must support the same schema version |
-| **Context propagation** — HA's `Context` is used for audit trails (which automation triggered which service call). HOMECORE must propagate it correctly or automation audits break | High | Low | Derive `Context` from source event at every service call; thread through `ServiceCall.context` field | ADR-129: automation engine must supply context when calling services |
-
----
-
-## 7. Open questions
-
-**Q1**: Should `EntityId` validation be strict (reject anything that doesn't match `[a-z0-9_]+\.[a-z0-9_]+`) or lenient (accept any UTF-8 string)? HA itself accepts unicode entity IDs since 2024.3. Strict validation simplifies routing; lenient matches HA's actual behaviour.
-
-**Q2**: The `broadcast::Sender` capacity of 4,096 is chosen based on a worst-case of 100 state writes/s × 40 s of acceptable lag before a slow receiver is declared dead. Is 40 s the right threshold, or should it be configurable per receiver?
-
-**Q3**: Should the `HomeCoreEntity` trait be object-safe (enabling `Vec<Box<dyn HomeCoreEntity>>`) or use associated types (enabling monomorphisation)? Object safety is required for the WASM plugin boundary (ADR-128); monomorphisation is faster for built-in integrations.
-
-**Q4**: HA's `State.context` carries a `user_id` that traces which user or automation initiated a state change. HOMECORE uses `UserId` from the auth layer (ADR-130). Is the auth layer a dependency of the core state machine, or should `user_id` be an optional opaque string to avoid circular deps?
-
----
-
-## 8. References
-
-### HA upstream
-
-- `homeassistant/core.py` — `HomeAssistant`, `StateMachine` (lines 1–800), `EventBus` (lines 800–1100), `ServiceRegistry` (lines 1100–1500), `Config` (lines 1500–2000)
-- `homeassistant/helpers/entity_registry.py` — `EntityRegistry`, `RegistryEntry` (all ~1,900 lines); schema version constant `STORAGE_VERSION`
-- `homeassistant/helpers/device_registry.py` — `DeviceRegistry`, `DeviceEntry`; schema version
-- `homeassistant/helpers/entity.py` — `Entity` base class; `async_write_ha_state`; entity lifecycle hooks
-- `homeassistant/helpers/event.py` — `async_track_state_change`, `async_track_time_interval`
-
-### This repo
-
-- `v2/crates/wifi-densepose-sensing-server/src/main.rs` — Axum + Tokio architecture pattern used throughout the existing server stack
-- `docs/adr/ADR-126-ruview-native-ha-port-master.md` — HOMECORE master; §5.5 crate naming; §6 compatibility contract; §5.1 RUVIEW-POLICY
-- `docs/adr/ADR-028-esp32-capability-audit.md` — witness chain pattern (Ed25519 per state transition)