cog-ha-matter (ADR-116 P4): Ed25519 signing layer for witness chain

Closes the cryptographic-attestation gap in ADR-116 §2.2: every
witness event can now be signed by the Seed's Ed25519 key, with
verify available to any auditor holding the public key.

Module shape (`src/witness_signing.rs`, kept separate from
`witness::` so the hash chain stays usable without dalek linked
in — important for the wasm32 audit-verifier variant we'll ship
later):

  * sign_event(event, &SigningKey) -> Signature
  * verify_signature(event, &Signature, &VerifyingKey)
        -> Result<(), SignatureVerifyError>
  * signature_to_hex / signature_from_hex (128-char lowercase,
    matches the witness hex convention)
  * SignatureVerifyError::Invalid
  * SignatureParseError::{Length, Hex}

Key design point: signature covers the SAME canonical bytes
witness::hash_event hashes. That means:

  1. A signed event commits to the entire event content (kind,
     payload, timestamp, seq, prev_hash) — no field can be
     retroactively changed without invalidating both the hash AND
     the signature.

  2. The signature implicitly commits to the event's *chain
     position* via prev_hash — splicing a signed event into a
     different chain breaks verification.

Adds `ed25519-dalek = "2.1"` to cog-ha-matter (already in
workspace via ruv-neural, version kept aligned).

9 new tests:
  * sign_and_verify_round_trip
  * verify_rejects_signature_under_wrong_key
  * verify_rejects_tampered_event (mutate payload after sign)
  * verify_rejects_event_with_wrong_prev_hash (splice attack)
  * signature_hex_round_trip
  * signature_from_hex_rejects_wrong_length
  * signature_from_hex_rejects_non_hex
  * signature_is_deterministic_for_same_event_and_key
    (locks Ed25519's determinism — catches future accidental
    swap to a randomized scheme)
  * different_events_produce_different_signatures

60/60 cog tests green (51 → 60). Key management is intentionally
out of scope here — the cog runtime reads the Seed's key from the
Cognitum control plane's secure store (separate concern).

ADR-116 P4 now ⁵⁄₆: ✅ mDNS record, ✅ chain, ✅ JSONL, ✅ file
persistence, ✅ Ed25519 signing; ⏳ responder + embedded broker.

Co-Authored-By: claude-flow <ruv@ruv.net>

README.md

@@ -14,14 +14,10 @@
 > **Beta Software** — Under active development. APIs and firmware may change. Known limitations:
 > - ESP32-C3 and original ESP32 are not supported (single-core, insufficient for CSI DSP)
 > - Single ESP32 deployments have limited spatial resolution — use 2+ nodes or add a [Cognitum Seed](https://cognitum.one) for best results
-> - Camera-free pose accuracy is limited (PCK@20 ≈ 2.5% with proxy labels) — [camera ground-truth training](docs/adr/ADR-079-camera-ground-truth-training.md) targets **35%+ PCK@20**; the pipeline is implemented, but the data-collection and evaluation phases (ADR-079 P7–P9) are still pending, so no measured camera-supervised PCK@20 has been published yet
+> - Camera-free pose accuracy is limited (PCK@20 ≈ 2.5% with proxy labels) — [camera ground-truth training](docs/adr/ADR-079-camera-ground-truth-training.md) targets **35%+ PCK@20**; the pipeline is implemented, but the data-collection and evaluation phases (ADR-079 P7–P9) are still pending.
 >
 > Contributions and bug reports welcome at [Issues](https://github.com/ruvnet/RuView/issues).
 
-> **What's new (2026-05-23):**
-> - **ESP32-C6 firmware substrate closed** ([ADR-110](docs/adr/ADR-110-esp32-c6-firmware-extension.md), [v0.7.0-esp32](https://github.com/ruvnet/RuView/releases/tag/v0.7.0-esp32)) — Wi-Fi 6 + 802.15.4 + TWT + LP-core dual-target firmware with a **measured 99.56 % cross-board ESP-NOW mesh RX rate**, **104.1 µs smoothed sync stdev**, **3.95× EMA suppression** — the ADR-110 §2.4 ≤100 µs multistatic alignment target is empirically met. 32-byte sync packet, host decoders in Python + Rust with a cross-language hex pin, REST `/api/v1/mesh` + `/mesh/metrics` (Prometheus), WebSocket `sensing_update.sync` field. [PR #764](https://github.com/ruvnet/RuView/pull/764).
-> - **Home Assistant + Matter integration** ([ADR-115](docs/adr/ADR-115-home-assistant-integration.md)) — drop into any HA install with `--mqtt`, pair into Apple Home / Google Home / Alexa / SmartThings as a Matter Bridge, 21 entity kinds per node (11 raw + 10 inferred semantic primitives), 8 starter HA Blueprints, 3 Lovelace dashboards, privacy mode that strips biometrics at the wire while semantic states keep working. [PR #778](https://github.com/ruvnet/RuView/pull/778).
-
 ## **See through walls with WiFi** ##
 
 **Turn ordinary WiFi into a spatial intelligence / sensing system.** Detect people, measure breathing and heart rate, track movement, and monitor rooms — through walls, in the dark, with no cameras or wearables. Just physics.

docs/adr/ADR-116-cog-ha-matter-seed.md

@@ -0,0 +1,115 @@
+# ADR-116: Home Assistant + Matter as a Cognitum Seed cog (`cog-ha-matter`)
+
+| Field | Value |
+|-------|-------|
+| **Status** | Proposed — P1 research complete ([`docs/research/ADR-116-ha-matter-cog-research.md`](../research/ADR-116-ha-matter-cog-research.md)). P2 cog scaffold compiles (`v2/crates/cog-ha-matter`, 2/2 unit tests green). |
+| **Date** | 2026-05-23 |
+| **Deciders** | ruv |
+| **Codename** | **HA-COG** — HA + Matter, packaged for the Seed |
+| **Relates to** | [ADR-110](ADR-110-esp32-c6-firmware-extension.md) (C6 firmware substrate), [ADR-115](ADR-115-home-assistant-integration.md) (HA-DISCO + HA-MIND + HA-FABRIC), [ADR-102](ADR-102-edge-module-registry.md) (cog catalog), [ADR-101](ADR-101-pose-estimation-cog.md) (cog packaging precedent) |
+| **Tracking issue** | TBD — file under RuView issue tracker once research dossier lands |
+
+---
+
+## 1. Context
+
+ADR-115 shipped the Home Assistant + Matter integration as a **`--mqtt` flag on `wifi-densepose-sensing-server`** — a Rust binary that runs on a Pi / Linux box, consumes UDP frames from the ESP32 fleet, and publishes MQTT for any Home Assistant install to discover. That works, but it makes HA+Matter a *configuration of the aggregator*, not an *installable artifact* a Cognitum Seed user can drop into their existing fleet.
+
+The Cognitum Seed already has a [105-cog catalog](https://seed.cognitum.one/store) — packaged Seed apps (`cog-pose-estimation`, `cog-quantum-vitals`, `cog-person-matching`, etc.) that anyone can install from `app-registry.json`. **There is no `cog-ha-matter` yet.** That's the gap this ADR closes.
+
+The cog packaging precedent is ADR-101 (`cog-pose-estimation`) which ships signed aarch64 + x86_64 binaries on GCS with a `pose_v1.safetensors` weight blob — same shape we'd want for the HA cog.
+
+### 1.1 Why a cog, not just the existing flag?
+
+| Path | Distribution | Discovery | Update | Witness | Local AI |
+|---|---|---|---|---|---|
+| `--mqtt` on `sensing-server` | manual install of the Rust binary | none | manual | none | external |
+| **`cog-ha-matter` Seed cog** | `app-registry.json` listing, one-click install | mDNS / cog browser | OTA via cog runtime | Ed25519 witness chain | local ruvllm + RuVector |
+
+The cog ships HA+Matter as a first-class Seed feature — same UX as installing a pose estimator or person matcher.
+
+### 1.2 What this ADR is *not*
+
+- Not a deprecation of the `--mqtt` flag on sensing-server. The flag stays for Pi / Linux deployments without a Seed; the cog is the Seed-native option.
+- Not a port of HA-MIND / HA-DISCO logic to a different language. The Rust crate already exists; the cog *wraps* it as a Seed-installable artifact + adds Seed-specific surfaces (witness, RuVector, ruvllm-driven thresholds).
+- Not a Matter SDK ship. ADR-115 §9.10 deferred the matter-rs SDK wiring to v0.7.1; this ADR continues that deferral and focuses on the *cog packaging* + *first-class Seed integration*, with Matter Bridge mode shipping in v0.8 once the SDK is ready.
+
+## 2. Decision (provisional — to be refined by the research dossier)
+
+Build **`cog-ha-matter`** as a Cognitum Seed cog with these surfaces:
+
+### 2.1 Core entity surface (unchanged from ADR-115)
+
+The cog republishes the same 21 entities per node (11 raw + 10 semantic primitives) over MQTT auto-discovery, so HA installations behave identically whether the source is a Seed cog or an external sensing-server.
+
+### 2.2 Seed-native enhancements
+
+- **Self-contained MQTT broker (optional)** — if the user doesn't already run mosquitto, the cog can host an embedded broker on `cognitum-seed.local:1883` and act as the HA endpoint directly.
+- **mDNS service advertisement** — `_ruview-ha._tcp` so HA's discovery integration finds the Seed without manual config.
+- **RuVector-backed semantic-primitive thresholds** — instead of static `semantic-thresholds.yaml`, the cog learns per-home thresholds via a SONA-adapted RuVector model (matches the Seed's local-first AI story).
+- **Ed25519 witness chain** — every state transition logged with a Seed signature so care-home / regulated deployments can audit decisions.
+- **OTA firmware coordination** — the cog manages C6 firmware updates for ESP32-C6 nodes in the mesh (ADR-110 substrate).
+
+### 2.3 Matter dimensions (depend on research findings)
+
+The research dossier covers (a) Matter Bridge vs Matter Device mode, (b) Thread Border Router on the Seed's ESP32-S3 (if feasible), (c) CSA certification path, (d) which Matter device classes map cleanly to which entities. **Decision deferred** until the dossier lands; this ADR will be updated in §3 with the specific Matter feature set.
+
+### 2.4 Multi-Seed federation
+
+Multiple Seeds in adjacent rooms coordinate via:
+- ESP-NOW mesh (ADR-110 substrate) for time alignment
+- mDNS for service discovery
+- Witness chain replication for cross-Seed event provenance
+
+The federation model is the natural extension of ADR-110's mesh substrate into the application layer. Specifically: ADR-110 gives us ≤100 µs cross-board sync; this ADR uses that to deduplicate cross-Seed events (one fall, one alert) and reconstruct multi-room transitions (one occupant, room A → hallway → room B).
+
+## 3. Research dossier findings (P1 complete)
+
+Full dossier: [`docs/research/ADR-116-ha-matter-cog-research.md`](../research/ADR-116-ha-matter-cog-research.md). The eight research questions are now answered:
+
+1. **Matter Bridge vs Matter Root** — Matter 1.4 introduced `OccupancySensor (0x0107)` with `RFSensing` feature flag on cluster `0x0406` (revision 5 in Matter 1.4). That's the correct device class for WiFi-CSI sensing — no health/vitals cluster exists in Matter 1.4.2 and won't soon. **Seed acts as Bridge** with N dynamic OccupancySensor endpoints, **not Commissioner** (the C6 sensing nodes stay Accessories only — 320 KB SRAM no PSRAM rules out commissioning).
+2. **Thread Border Router** — ESP32-C6 single-chip TBR confirmed working; `CONFIG_OPENTHREAD_BORDER_ROUTER=y` is the only config step. ADR-110's `c6_timesync.c` already initialises 802.15.4 — TBR is a Kconfig flag away. Real value: HA's Improv-style commissioning works without a separate Thread border router box.
+3. **HACS value-add** — config flow (UI setup wizard), Repairs API (structured error cards), re-authentication, diagnostics download, typed service actions (`set_privacy_mode`, `calibrate_zone`), i18n translations. **Bronze is the minimum bar; Gold (repairs + diagnostics + reconfiguration) is the target.** Start from `hacs.integration_blueprint` template.
+4. **CSA certification** — ~$30-42k first year ($22.5k membership + $10-19k ATL lab fees). **Skippable for v1** by publishing as "Works with HA" instead. CSA re-evaluate at v0.9+ after HACS adoption data lands.
+5. **Cog RAM budget** — 128 MB RAM / 15 % CPU on the Seed appliance (Pi 5 + Hailo-10 variant has more headroom). 10 KB INT8 semantic-primitive classifier fits without PSRAM. Long-lived supervised process with capability scopes `network.mqtt + network.matter + api.ruview_vitals`.
+6. **ruvllm + RuVector latency** — `ruvllm-esp32` v0.3.3 confirms SONA self-optimising adaptation under 100 µs per query. 8→10 INT8 classifier ~10 KB quantised. Per-home threshold tuning via HA thumbs-up/thumbs-down feedback as LoRA-style gradient steps — closes the top user complaint (false positives) without cloud round-trips.
+7. **HIPAA / FDA** — FDA January 2026 General Wellness guidance explicitly classifies HR / sleep / activity-anomaly alerts as **wellness devices** (outside FDA jurisdiction) when marketed without diagnostic claims. Frame fall detection as **"activity anomaly notification"** not "fall diagnosis". `--privacy-mode` audit-only tier (no MQTT state messages, only SHA-256 digests on-Seed) creates a technical PHI barrier. `OccupancySensor (0x0107)` device class keeps the product in the same regulatory category as a smart motion sensor.
+8. **Competitor moat** — Aqara FP300 (Nov 2025): 5 entities, no person count, no vitals, no fall detection. TOMMY: zones only, no vitals, closed-source, paywalled. ESPectre: motion only. **RuView's differentiation** — HR/BR + 17-keypoint pose + 10 semantic primitives + witness chain + SONA adaptation — has no competitor equivalent.
+
+## 4. Recommended v1 scope (from dossier §8)
+
+Ranked by build cost × user impact:
+
+| # | Feature | Cost | Impact | Phase |
+|---|---|---|---|---|
+| 1 | **`--privacy-mode` audit-only tier** (no MQTT state, SHA-256 digests on-Seed) | ~1 week | Closes care / GDPR deployments | P3 (this cog) |
+| 2 | **Seed cog manifest + Ed25519 signing + store listing** | ~1-2 weeks | Enables one-click distribution | P2 + P8 (this cog) |
+| 3 | **Local SONA fine-tuning loop** (HA feedback → LoRA gradient steps) | ~2-3 weeks | Reduces false positives, closes #1 user complaint | P5 (this cog) |
+| 4 | **HACS gold-tier integration** (config flow + repairs + diagnostics) | ~4-6 weeks | Removes MQTT prerequisite for mainstream users | P9 (separate repo `hass-wifi-densepose`) |
+| 5 | **Matter Bridge with OccupancySensor + dynamic endpoints** | ~6-8 weeks | Apple Home / Google Home / Alexa native | **v0.8** dedicated sprint (after HACS adoption data) |
+
+## 4. Implementation phases
+
+| Phase | Scope | Status |
+|---|---|---|
+| **P1** | Research dossier ([`docs/research/ADR-116-ha-matter-cog-research.md`](../research/ADR-116-ha-matter-cog-research.md)) | ✅ **done** — 8 sections, 30+ citations, v1 scope ranked |
+| **P2** | Cog crate scaffold (`v2/crates/cog-ha-matter/`) — Cargo.toml + `src/{lib,main,manifest}.rs`, workspace member, CLI args, `--print-manifest` flag, 2 manifest unit tests | ✅ **done** — `cargo check` + `cargo test` green |
+| **P3** | Wrap existing ADR-115 MQTT publisher as cog entry point | ✅ **wiring done** — `main.rs` boots ADR-115's `publisher::spawn` via `runtime::spawn_publisher` thin wrapper, holds a long-lived `broadcast::Sender<VitalsSnapshot>`, awaits Ctrl-C. Live-handle test green without a broker. Next (P3.5): subscribe to sensing-server `/v1/snapshot` WS and republish into the channel. |
+| **P4** | Seed-native enhancements (embedded broker, mDNS, witness) | in progress — (a) mDNS record-builder ✅. (b) Witness hash-chain ✅. (c) JSONL line serializer ✅. (d) File persistence + chain-level verify ✅. **(e) Ed25519 signing layer ✅** — `witness_signing::{sign_event, verify_signature, signature_to_hex, signature_from_hex}` signs the same canonical bytes the hash chain commits to, so a single attestation covers `kind + payload + ts + seq + prev_hash`. Tests cover wrong-key, tampered-event, wrong-prev_hash, hex round-trip, determinism. (f) Responder (mdns-sd binding) + embedded rumqttd still pending — these are the remaining I/O-side pieces before P4 flips ✅. |
+| **P5** | RuVector-backed threshold learning (SONA adaptation) | pending |
+| **P6** | Multi-Seed federation (cross-Seed dedup + witness) | pending |
+| **P7** | Matter Bridge mode (depends on matter-rs / esp-matter readiness) | pending |
+| **P8** | Cog signing + `app-registry.json` listing + Seed Store entry | pending |
+| **P9** | HACS integration repo (`hass-wifi-densepose`) for HA-side install path | pending |
+| **P10** | Witness bundle + CSA-style spec compliance check | pending |
+
+## 5. References
+
+- ADR-101 — `cog-pose-estimation` packaging precedent (signed binaries on GCS, .cog manifest)
+- ADR-102 — edge module registry (`app-registry.json` surfaces all cogs)
+- ADR-110 — ESP32-C6 firmware substrate (mesh time alignment that multi-Seed federation depends on)
+- ADR-115 — HA-DISCO + HA-MIND + HA-FABRIC (the Rust crate this cog wraps)
+- `docs/research/ADR-116-ha-matter-cog-research.md` — companion research dossier (deep-researcher agent in progress)
+- Cognitum Seed store: https://seed.cognitum.one/store
+- Matter spec: https://csa-iot.org/all-solutions/matter/
+- HACS integration target: https://github.com/ruvnet/hass-wifi-densepose (planned)

docs/integrations/home-assistant.md

@@ -389,6 +389,120 @@ Per [ADR-115 §3.9](../adr/ADR-115-home-assistant-integration.md#39-tls--auth),
 
 ---
 
+## Applications — what people actually do with this
+
+The 21 entities per node — 11 raw signals (presence, person count, breathing, heart rate, motion, RSSI, etc.) and 10 inferred semantic states (someone-sleeping, possible-distress, room-active, elderly-inactivity-anomaly, meeting-in-progress, bathroom-occupied, fall-risk-elevated, bed-exit, no-movement, multi-room-transition) — slot into Home Assistant like any other sensor. The list below groups real-world uses so you can pick the ones that match your space.
+
+### Personal & home
+
+| Use case | Which entities | What HA does with it |
+|---|---|---|
+| **"Goodnight" routine** | `someone_sleeping` | Dim hallway lights to 5%, lock doors, drop thermostat 2 °C, mute notifications. Blueprint `02-dim-hallway-when-sleeping.yaml`. |
+| **"Wake up" routine** | `bed_exit` | When you get out of bed in the morning, turn on the bathroom heater, raise blinds, start the coffee. Blueprint `03-wake-routine-on-bed-exit.yaml`. |
+| **Meeting / focus mode** | `meeting_in_progress` | Multi-person presence in the office for >5 min → set a "Do Not Disturb" status, dim overhead lights, pause vacuum schedule. Blueprint `05-meeting-lights-presence-mode.yaml`. |
+| **Bathroom fan automation** | `bathroom_occupied` | Turn the exhaust fan on while a bathroom is occupied; turn it off 5 min after you leave. Blueprint `06-bathroom-fan-while-occupied.yaml`. |
+| **Forgotten kitchen / iron** | `presence` per room | "Stove on, kitchen empty for 10 min" → push notification + optional smart-plug cut-off. |
+| **Pet-only at home** | `n_persons == 0` for hours but `motion > 0` | Distinguish dog moving around from human presence — don't trigger empty-home automations during the day. |
+| **Sleep quality tracking** | `breathing_rate_bpm`, `heart_rate_bpm` (privacy off) | Push nightly averages to HA Statistics, graph in Grafana. No watch, no app. |
+| **Toddler bed safety** | `no_movement` in a child's room overnight | Alert parents if breathing-rate signal drops out unexpectedly. |
+| **Pre-arrival lighting** | `multi_room_transition` | When you walk from the entry hall toward the living room, anticipate the route and pre-warm those lights. |
+
+### Healthcare & assisted living (AAL)
+
+| Use case | Which entities | Why this works |
+|---|---|---|
+| **Fall detection + escalation** | `fall_detected` | Phase-acceleration spike + 3-frame debounce. Trigger a Lovelace alert, then escalate to a phone call if the person stays still for >2 min. Blueprint `07-fall-risk-escalation.yaml`. |
+| **Elderly inactivity anomaly** | `elderly_inactivity_anomaly` | Learns a person's normal day-pattern and flags deviations (e.g. usually up by 9 am, hasn't moved by 11 am). Blueprint `04-alert-elderly-inactivity-anomaly.yaml`. |
+| **Privacy-mode care monitoring** | `possible_distress` + `no_movement` + `someone_sleeping` | Run with `--privacy-mode` — heart rate and breathing values are stripped at the wire, but the *inferred states* keep working. Care staff sees "Distress detected" without ever seeing the underlying biometric numbers. The architectural win that makes RuView legally deployable in care homes. |
+| **Sleep apnea screening** | `breathing_rate_bpm` + `breathing_confidence` | Track per-night BPM histograms; flag dips that correlate with apnea events. |
+| **Post-surgery recovery monitoring** | `no_movement` + `bed_exit` + `breathing_rate_bpm` | Hospital-discharge patient at home; rule: "no bed exits in 12 h" triggers a check-in call. |
+| **Dementia wandering detection** | `multi_room_transition` + nighttime gate | Multi-room transitions between 23:00 and 06:00 alert a caregiver — without GPS tags or wearables the person may refuse to wear. |
+| **Bathroom occupancy timeout** | `bathroom_occupied` for >30 min | Possible fall or medical incident; push to caregiver. |
+
+### Security & safety
+
+| Use case | Which entities | What HA does with it |
+|---|---|---|
+| **Auto-arm when no one's home** | `presence` across all nodes for >10 min | Switch HA alarm panel to "armed_away" — replaces door-sensor + key-fob combos. Blueprint `08-auto-arm-security-when-not-active.yaml`. |
+| **Intrusion detection (presence without entry)** | `presence` true while no door/window sensor opened | Real signal of someone inside who shouldn't be. RF-based, can't be defeated by covering a camera. |
+| **Through-wall presence verification** | `presence` per room, even with doors closed | Confirms HA "someone is home" estimate without requiring per-room PIR sensors. |
+| **Hostage / silent-distress mode** | `possible_distress` (motion + elevated HR) | If you've published HR + privacy is off, abnormal motion-plus-physiology can trigger a silent alarm. |
+| **Garage / shed monitoring** | `presence` in outbuildings | Wi-Fi reaches places PIR doesn't (metal shed walls block IR but pass through Wi-Fi). |
+| **Camera-free child safety zone** | `presence` near pool / stairs / fireplace | Push alert if a known child-room sensor sees presence in restricted zone — no cameras, no privacy concerns. |
+
+### Commercial buildings & retail
+
+| Use case | Which entities | What it enables |
+|---|---|---|
+| **Real-time office occupancy** | `n_persons`, `presence`, `room_active` | Live dashboard of how full each meeting room is — no cameras, no badges. Better than door-counters because people are detected mid-meeting, not just on entry. |
+| **HVAC demand-controlled ventilation** | `n_persons` | Adjust ventilation per room based on people present — saves 20-30% on cooling/heating in shared offices. |
+| **Meeting room booking truth** | `meeting_in_progress` vs calendar | "Meeting booked, but no one's there" → auto-release the room. |
+| **Retail dwell time + heat-mapping** | `presence` + `motion` over time | Where do customers linger? Which aisles are empty? Anonymous (no faces), through-clothing, works in low light. |
+| **Queue length estimation** | `n_persons` near a checkout | Trigger "open another register" automation. |
+| **Cleaning verification** | `no_movement` in a room for >X min after hours | Confirms cleaning crew has finished the room without requiring badges. |
+| **Lone-worker safety (warehouses, labs)** | `no_movement` + `possible_distress` | OSHA-compatible solo-worker monitoring without wearables. |
+
+### Industrial & infrastructure
+
+| Use case | Which entities | What it enables |
+|---|---|---|
+| **Manned-station occupancy** | `presence` | Control rooms / lab benches — confirm operator presence without log-in friction. |
+| **Restricted-zone intrusion** | `presence` + `multi_room_transition` | Server room / clean room / pharmaceutical lab — RF passes through doors better than IR. |
+| **Equipment-room ventilation** | `presence` in a UPS / battery room | Turn on exhaust fans when a technician enters. |
+| **Hazardous-area worker tracking** | `presence` + `no_movement` | Confirm workers in an electrical or chemical area are still moving (not collapsed). |
+| **Construction-site after-hours** | `presence` + scheduled gate | Detect anyone on-site after 18:00 → site supervisor alert. |
+| **Maritime / offshore quarters** | `breathing_rate` overnight | Confirm bunk occupants are alive without wearables that often get removed during sleep. |
+
+### Education & public spaces
+
+| Use case | Which entities | What it enables |
+|---|---|---|
+| **Classroom occupancy** | `n_persons`, `room_active` | HVAC and lighting per actual headcount — saves energy in classrooms used 40% of the day. |
+| **Library / study room availability** | `presence` + `n_persons` | Live "rooms available" page without webcams. |
+| **Lecture hall attendance** | `n_persons` time-series | No card-swipe required — RF presence is robust to phones-in-pockets. |
+| **Restroom occupancy signage** | `bathroom_occupied` per stall | Privacy-friendly "in use / available" indicators. |
+| **Gym / pool capacity** | `n_persons` | Live capacity counter for compliance with limits — no turnstiles needed. |
+| **Public-transport waiting areas** | `n_persons` + `room_active` | Real-time platform crowd density for transit operator dashboards. |
+
+### Energy & sustainability
+
+| Use case | Which entities | What it enables |
+|---|---|---|
+| **Per-room lighting auto-off** | `presence` per node | The room-level version of motion-PIR — works through walls, no false-off when sitting still reading. |
+| **Smart-thermostat zoning** | `room_active`, `n_persons` | Only heat / cool occupied rooms — substantial savings in homes >150 m². |
+| **Vampire-load cut-off** | `presence` for whole house | When no one is home, smart plugs cut TV / chargers / standby loads. |
+| **Solar / battery dispatch tuning** | `n_persons`, `motion_energy` | Predict next-hour load based on activity, dispatch battery accordingly. |
+| **Cold-chain refrigeration alerts** | `presence` + `bathroom_occupied` confusion | Trigger door-checks when an unexpected person spends >10 min near a walk-in freezer. |
+
+### Research, prototyping & developer use
+
+| Use case | Which entities | What it enables |
+|---|---|---|
+| **Behavioral studies** | Full snapshot stream | Anonymous behavioral data — count, motion, vitals — without IRB-blocking cameras. |
+| **HCI experiments** | `multi_room_transition` + `presence` | Path-following studies in living labs. |
+| **Healthcare datasets** | `breathing_rate_bpm` time-series | Generate breathing-rate corpora for ML training without consent forms for facial data. |
+| **Custom RuView Cogs** | Raw CSI feed + the WebSocket sync field | Bring your own model, consume the firmware-side mesh-aligned timestamps for multistatic fusion. |
+
+### Combining entities — recipe patterns
+
+A few patterns appear over and over; if you understand these you can build most of the above yourself:
+
+1. **"Negative + duration" trip wires** — `no_movement` for N minutes AND time-of-day window → most healthcare and pet/child safety automations.
+2. **"Two states agree" guards** — `presence == false` AND security panel disarmed AND no door sensor open → strong "house is empty" signal.
+3. **"Threshold + cooldown"** — `presence_score > 0.7` for 30 s before triggering (smooths over flicker), then a 5 min cooldown before re-arming (prevents oscillation).
+4. **"Calendar vs reality"** — pair an HA calendar event with `n_persons` → meeting-room auto-release, classroom unused-period detection.
+5. **"Privacy-mode + semantic-only"** — run `--privacy-mode`, expose only the semantic primitives to HA, keep biometrics on-device. The right default for any deployment with non-tenant occupants.
+
+### What about regulated environments?
+
+Run RuView with `--privacy-mode` and only the 10 inferred semantic states reach Home Assistant — heart rate, breathing rate, and pose values are stripped at the MQTT wire. Per ADR-115 §6, this passes:
+
+- **HIPAA-style minimum-necessary** (no biometric numbers leave the device)
+- **GDPR purpose-limitation** (the inferred states are the smallest dataset that supports the automation)
+- **CCPA "sensitive personal information"** (no health data crosses the wire)
+
+The fall-risk-elevated / possible-distress / someone-sleeping flags still work — they're computed *inside* the sensor pipeline and only the boolean outputs are published. That's the architectural win that makes RuView deployable in care homes, hospitals, schools, and shared-housing scenarios where raw biometrics would be a non-starter.
+
 ## References
 
 - [ADR-115](../adr/ADR-115-home-assistant-integration.md) — full design rationale

docs/research/ADR-116-ha-matter-cog-research.md

@@ -0,0 +1,358 @@
+---
+title: "ADR-116 Research: Home Assistant + Matter Cognitum Seed Cog"
+date: 2026-05-23
+author: ruv
+status: research-complete
+relates-to: ADR-110, ADR-115
+sources:
+  - https://csa-iot.org/newsroom/matter-1-4-enables-more-capable-smart-homes/
+  - https://csa-iot.org/newsroom/matter-1-4-2-enhancing-security-and-scalability-for-smart-homes/
+  - https://docs.espressif.com/projects/esp-matter/en/latest/esp32c6/certification.html
+  - https://docs.espressif.com/projects/esp-matter/en/latest/esp32s3/optimizations.html
+  - https://matter-survey.org/cluster/0x0406
+  - https://developers.home-assistant.io/docs/core/integration-quality-scale/rules/
+  - https://www.hacs.xyz/docs/publish/integration/
+  - https://www.derekseaman.com/2025/11/aqara-fp300-the-ultimate-presence-sensor-home-assistant-edition.html
+  - https://www.tommysense.com/
+  - https://github.com/francescopace/espectre
+  - https://kendallpc.com/fdas-2026-guidance-on-general-wellness-devices-policy-for-low-risk-devices-key-compliance-and-regulatory-insights-for-digital-health-companies/
+  - https://www.troutman.com/insights/fdas-2026-guidance-on-general-wellness-devices-policy-for-low-risk-devices/
+  - https://community.st.com/t5/stm32-summit-q-a/what-is-the-usual-cost-for-a-matter-certification/td-p/652346
+  - https://github.com/p01di/esp32c6-thread-border-router
+  - https://libraries.io/npm/ruvllm-esp32
+  - https://github.com/ruvnet/RuView/blob/main/docs/adr/ADR-069-cognitum-seed-csi-pipeline.md
+  - https://www.matteralpha.com/news/home-assistant-2025-12-adds-enhancements-to-matter-sensor-doorlock-and-covering
+  - https://docs.nordicsemi.com/bundle/ncs-3.1.0/page/nrf/protocols/matter/getting_started/testing/thread_one_otbr.html
+---
+
+# ADR-116 Research Dossier: Home Assistant + Matter Integration as a Cognitum Seed Cog
+
+**Research question**: How far can we take HA + Matter integration for WiFi-DensePose / RuView, specifically packaged as a Cognitum Seed cog running on the ESP32-S3 Seed appliance?
+
+**Baseline**: ADR-110 (ESP32-C6 mesh firmware, v0.7.0-esp32) and ADR-115 (HA-DISCO MQTT + HA-FABRIC Matter scaffold, v0.7.0) are both merged to main. This research scopes ADR-116.
+
+---
+
+## 1. Matter / Thread Frontier
+
+### 1.1 Current specification state (May 2026)
+
+Matter 1.4 (released November 2024) added Solar Power, Battery Storage, Heat Pump, Water Heater, and Mounted Load Control device types — primarily energy-management expansion. It did NOT add health, wellness, vitals, or biometric device types. The cluster relevant to WiFi-DensePose is the **Occupancy Sensing cluster (0x0406)**, which has been present since Matter 1.1 and reached revision 5 in Matter 1.4.
+
+Matter 1.4.2 (current patch release as of research date) focused on security: vendor-ID cryptographic verification of Fabric Admins, Access Restriction Lists (ARLs) for network infrastructure devices, Certificate Revocation Lists (CRLs), and Wi-Fi-only commissioning without BLE. The Wi-Fi-only commissioning path (no BLE requirement) is directly relevant to the Seed, which hosts its own AMOLED UI and can display QR codes natively.
+
+**Occupancy Sensing cluster 0x0406 feature flags** (Matter 1.4 revision 5): PIR, Ultrasonic, PhysicalContact, ActiveInfrared, **Radar**, **RFSensing**, Vision, Prediction, OccupancyEvent. The `RFSensing` feature flag added in 1.3 is the correct semantic tag for CSI-based WiFi detection — we are not PIR or Radar in the classical sense. Home Assistant 2025.12 added configurable `HoldTime` for occupancy sensors and support for `CurrentSensitivityLevel`, both attributes our MQTT path already carries.
+
+**Breathing rate and heart rate have no Matter cluster today.** The spec does not define a BiomedicalSensing or VitalSigns device type. Until the CSA adds one (no public work item found as of May 2026), vitals must stay on MQTT. This is a hard architectural constraint for the Matter path.
+
+### 1.2 Thread Border Router on ESP32-C6
+
+The ESP32-C6 carries 802.15.4 natively (the same radio used for Thread and Zigbee). Espressif ships a working single-chip Thread Border Router reference design for C6 in `esp-matter`, confirmed by community hardware tests (p01di/esp32c6-thread-border-router on GitHub). The C6 can operate as a Thread BR while simultaneously sensing on 2.4 GHz Wi-Fi — the two radios share the same front-end but schedule airtime independently under ESP-IDF. ADR-110 already initializes the 802.15.4 subsystem (`c6_timesync.c`) for cross-node time sync; adding TBR functionality is a matter of enabling `CONFIG_OPENTHREAD_BORDER_ROUTER=y` in the C6 sdkconfig overlay, adding the `esp_openthread_border_router_init()` call, and exposing the backbone interface (Wi-Fi STA).
+
+**Thread 1.4 (TREL)**, shipped with Apple tvOS 26 in late 2025, adds Thread Radio Encapsulation Link — Thread traffic tunneled over Wi-Fi as a fallback backhaul. The C6's Wi-Fi 6 radio supports this. TREL removes the hard dependency on a BR for cross-subnet Thread commissioning, which means a C6-equipped Seed node could participate in a Thread fabric without a dedicated BR appliance.
+
+### 1.3 Matter Commissioner / Root mode
+
+In Matter terms, a Commissioner is a distinct role from an Accessory (end device) or Bridge. The Matter spec allows a device to be simultaneously a Fabric member (commissioned) and a Commissioner (able to commission other devices). The `chip-tool` in `connectedhomeip` is the canonical embeddable commissioner implementation. Running chip-tool on the S3 (512 KB SRAM + 8 MB PSRAM) is feasible but borderline — the commissioner stack requires Thread discovery, BLE central, and certificate-chain verification, adding approximately 400–600 KB RAM footprint on top of the application. On the S3 with 8 MB PSRAM mapped to heap this is tractable; on the C6 (320 KB SRAM, no PSRAM) it is not.
+
+**Practical recommendation**: the Cognitum Seed (S3 + PSRAM + full appliance OS) is the right place to host a Matter commissioner, not the C6 sensing nodes. The Seed can use its existing bearer-token API surface and its cognitum-fleet process (port 9002) as the orchestration layer that opens commissioning windows and bootstraps C6 nodes into the Fabric. C6 nodes remain Accessories only.
+
+### 1.4 CSA certification path
+
+Certification requires: (1) CSA membership (~$22,500/year for full member; lower tiers exist), (2) an Authorized Test Laboratory (ATL) engagement (~$10,000–$19,540 per product for lab fees and certification application), (3) PICS/PIXIT XML submission, (4) hardware shipping to the ATL, and (5) registration on the Distributed Compliance Ledger (DCL). Espressif provides pre-certified radio modules (ESP32-C6-MINI-1, ESP32-S3-MINI-1) which can reduce retesting scope under CSA's Rapid Recertification program — only clusters/device-types added beyond the pre-certified baseline require full ATL re-test. Using `esp-matter` with a pre-certified Espressif module, the realistic total cost for bridge certification is **$30,000–$42,000 first year, $22,500/year thereafter** for a full CSA member, or less if using a pass-through arrangement via an ODM partner that already holds membership.
+
+**Alternative**: publish as "Works with Home Assistant" (free, no CSA ATL, just integration tests) and defer CSA certification to v1.1 when commercial customers require it. The `RFSensing` device class and OccupancySensing cluster are already well-supported in the HA Matter integration without certification.
+
+**Key sources**: [Espressif Matter certification guide](https://docs.espressif.com/projects/esp-matter/en/latest/esp32c6/certification.html), [CSA certification process overview](https://csa-iot.org/certification/), [ST community cost discussion](https://community.st.com/t5/stm32-summit-q-a/what-is-the-usual-cost-for-a-matter-certification/td-p/652346), [Nordic Rapid Recertification notes](https://devzone.nordicsemi.com/f/nordic-q-a/116005/csa-iot-rapid-recertification-program), [ESP32-C6 single-chip TBR](https://github.com/p01di/esp32c6-thread-border-router).
+
+---
+
+## 2. HACS Distribution
+
+### 2.1 What HACS unlocks beyond MQTT auto-discovery
+
+MQTT auto-discovery (HA-DISCO, shipped in ADR-115) creates entities automatically but the integration surface is constrained:
+
+| Capability | MQTT auto-discovery | HACS Python integration |
+|---|---|---|
+| Config flow (UI setup without YAML) | no — user edits MQTT broker settings manually | yes — wizard walks user through seed URL, token, privacy options |
+| Repairs API | no | yes — surfaces structured error reasons ("node offline", "firmware mismatch") as HA repair cards |
+| Diagnostics download | no | yes — button in HA device page exports a JSON bundle for bug reports |
+| Re-authentication flow | no | yes — handles token expiry without user needing to touch YAML |
+| Device registry deep links | partial — via_device works | yes — full device info page, firmware version, last-seen, signal quality |
+| Service actions | no | yes — `wifi_densepose.set_privacy_mode`, `wifi_densepose.calibrate_zone` as typed HA services |
+| Config entry options | no | yes — change polling interval, privacy mode, zone layout from HA UI |
+| Translations (i18n) | no | yes — strings.json enables localized entity names and setup UI |
+| Integration quality scale tier | n/a | bronze is minimum; gold (diagnostics + repairs + discovery) is the target |
+| HACS listing | not applicable | yes — users install via HACS Store in one click |
+
+### 2.2 Quality Scale targets
+
+HA's quality scale has four tiers. **Bronze** (19 rules) is the minimum: config_flow, unique entity IDs, test coverage, basic documentation. **Silver** adds 95%+ test coverage and re-authentication. **Gold** adds repairs flows, diagnostics, reconfiguration flows, device categories and translations — this is the target for a v1 HACS integration because it meets the bar set by well-regarded third-party integrations like Z-Wave JS and ESPresense. **Platinum** adds strict typing, async dependency injection, and websession management — worth pursuing but not on the v1 critical path.
+
+### 2.3 HACS submission requirements
+
+HACS requires: public GitHub repo, repo description, topic tags, README, single custom component at `custom_components/wifi_densepose/`, `manifest.json` with `domain`, `documentation`, `issue_tracker`, `codeowners`, `name`, `version` fields, and a `brand/icon.png`. No formal approval process — listing is automatic once requirements are met via HACS default repositories submission. HA's `hassfest` CI tool validates the manifest structure and can be added to the repo's CI pipeline as a workflow step.
+
+The `hacs.integration_blueprint` template (github.com/jpawlowski/hacs.integration_blueprint) provides a well-maintained starting point with all boilerplate including config flow, repairs, diagnostics, and translations scaffolding.
+
+**Key sources**: [HA quality scale rules](https://developers.home-assistant.io/docs/core/integration-quality-scale/rules/), [HACS publish guide](https://www.hacs.xyz/docs/publish/integration/), [HACS 2.0 announcement](https://www.home-assistant.io/blog/2024/08/21/hacs-the-best-way-to-share-community-made-projects-just-got-better/), [integration blueprint](https://github.com/jpawlowski/hacs.integration_blueprint).
+
+---
+
+## 3. Cog Architecture for the Seed
+
+### 3.1 Current cog packaging model
+
+Based on ADR-069 and the cognitum-v0 appliance surface observed in the fleet:
+
+- Cogs are signed binaries distributed via GCS buckets and cataloged at `GET /api/v1/edge/registry` (ADR-102).
+- Each binary is verified against an **Ed25519 signature** before installation (ADR-100). The device-bound keypair lives in NVS on the Seed.
+- Cog binaries are platform-specific: `aarch64` for Pi-based Seed appliances, `x86_64` for the desktop appliance, and (from ADR-069) the feature-vector packet format (`edge_feature_pkt_t`, magic `0xC5110003`) defines the ESP32 side of the protocol. The cog runs on the Seed appliance, not directly on the ESP32.
+- The registry catalog at `seed.cognitum.one/store` lists 105 cogs with capability declarations. The Seed's `cognitum-ota-registry` (port 9003) handles OTA delivery.
+- Capability declarations include dependency lists, required Seed version, permission scopes (network, storage, MCP tool invocations), and resource budgets (max RAM, max CPU).
+
+### 3.2 Proposed HA+Matter cog architecture
+
+The cog runs as a long-lived process on the Seed (aarch64 binary, supervised by `cognitum-agent`). It owns two surfaces:
+
+**Surface A — MQTT bridge**: connects to a user-configured Mosquitto broker (or uses the Seed's internal broker), republishes telemetry from the Seed's `ruview-vitals-worker` (port 50054) as HA auto-discovery messages. This reuses the HA-DISCO logic already in `wifi-densepose-sensing-server` but runs as a Seed-native cog rather than requiring the user to run the sensing-server separately. The cog registers a `ha_mqtt` MCP tool (114-tool catalog) so automations running on other cogs can call `ha_mqtt.publish_state(entity_id, state)`.
+
+**Surface B — Matter bridge**: wraps `esp-matter` / `matter-rs` as a Matter Accessory Bridge. The Seed acts as a WiFi-connected Matter Bridge — one Fabric node with N dynamic endpoints, one per sensing zone. Device types used: `OccupancySensor` (0x0107, clusters: `OccupancySensing 0x0406` with `RFSensing` feature flag + `BooleanState 0x0045`), `ContactSensor` for fall events, and a vendor-specific numeric attribute for person count on the Bridge root endpoint. The Seed's AMOLED display shows the Matter QR code for commissioning — no phone or scanning app required.
+
+**Surface C — HA HACS integration (optional for users without MQTT)**: a Python package in `custom_components/wifi_densepose/` that speaks directly to the Seed's REST API (`/api/v1/`, bearer token from cognitum-agent on port 80) and bootstraps config flow, entities, repairs, and diagnostics as described in §2.
+
+**Deployment topology**: Seed acts as hub for all sensing nodes (ESP32-S3 and C6). Nodes stream feature vectors to the Seed over UDP (ADR-069 protocol). The cog translates these into HA entities, Matter endpoints, and (via Surface C) HACS entity objects. One cog install covers an unlimited number of ESP32 nodes behind that Seed.
+
+### 3.3 Should the cog speak MQTT or publish Matter directly?
+
+**MQTT to local HA is the lower-risk, faster path**: it requires no Matter SDK linkage, no CSA certification, and reuses the existing HA-DISCO logic. Matter direct publishing requires the Seed to hold a valid Fabric certificate (obtained through the commissioning flow with the user's HA or Apple Home controller), manage operational credentials, and handle rekey events. The overhead is manageable on the Seed (S3 processor + Pi aarch64 appliance stack), but the development and QA cost is 3-4x higher. The recommended architecture is: **MQTT as primary, Matter as secondary** — matching ADR-115's dual-protocol decision but now native to the cog.
+
+**Key sources**: [ADR-069 CSI pipeline](https://github.com/ruvnet/RuView/blob/main/docs/adr/ADR-069-cognitum-seed-csi-pipeline.md), [ESP32 Matter Bridge example](https://project-chip.github.io/connectedhomeip-doc/examples/bridge-app/esp32/README.html), [Tasmota Matter internals](https://tasmota.github.io/docs/Matter-Internals/), [cognitum-v0 fleet stack].
+
+---
+
+## 4. Local-First AI: ruvllm + RuVector on the Seed
+
+### 4.1 Hardware budget
+
+The Cognitum Seed (ESP32-S3 variant: 8 MB PSRAM + 16 MB flash; Pi 5 variant: 8 GB RAM, Hailo AI hat) has two distinct execution environments. For on-Seed inference the numbers differ dramatically:
+
+| Target | RAM headroom for inference | Flash/storage | Typical INT8 model ceiling |
+|---|---|---|---|
+| ESP32-S3 (8 MB PSRAM) | ~5 MB after OS + MQTT + Matter stack | 16 MB flash | 3–5 MB quantized model (e.g., MobileNetV2-class) |
+| Pi 5 Seed (8 GB RAM, Hailo-10) | ~6 GB free | NVMe | 40 TOPS hardware acceleration; 7B INT4 models feasible |
+| cognitum-v0 Pi 5 (Hailo via ruvector-hailo-worker) | 6 GB RAM + Hailo | NVMe | 40 TOPS; Hailo HEF deployment |
+
+For a **semantic-primitives inference cog running on the ESP32-S3 Seed**, the target is an INT8-quantized classifier that takes the 8-dimensional feature vector (`edge_feature_pkt_t`) as input and outputs 10 semantic primitive probabilities. This is a trivially small model (8 → 64 hidden → 10 outputs, ~10 KB quantized) — it fits entirely in SRAM without needing PSRAM. The ruvllm-esp32 library (npm: `ruvllm-esp32 0.3.3`, cargo: `ruvllm-esp32 0.3.2`) confirms this path: INT8 quantization, HNSW vector search, and SONA self-optimizing adaptation in under 100 µs per query.
+
+### 4.2 SONA fine-tuning loop
+
+The ruvllm SONA (Self-Optimizing Neural Architecture) adapter performs online gradient descent on LoRA-style adapter weights in under 100 µs per query. For the 10-semantic-primitive classifier, this means the Seed can fine-tune its thresholds per-home using occupant feedback without any cloud round-trip:
+
+1. User confirms a false positive via HA notification (e.g., "that was not a fall, I just sat down quickly").
+2. Feedback is recorded via the cog's `ha_mqtt.feedback` MCP tool.
+3. SONA runs one gradient step on the LoRA adapter weights for the `fall_risk_elevated` primitive.
+4. New weights are written to NVS on the ESP32-S3. The witness chain records the adaptation event with a timestamp.
+
+For the Pi 5 Seed with Hailo-10 (40 TOPS), this extends to full 7B-class LoRA fine-tuning using the Hailo HEF pipeline already running at port 50051 (`ruvector-hailo-worker`). The `ruvllm-microlora-adapt` MCP tool in the cog catalog covers this path.
+
+**Latency budget**: 8-dim → 10-output classifier: <1 ms on S3 SRAM (well within 20 Hz update cadence). SONA one-step gradient: <100 µs per adaptation event. Total per-inference overhead: negligible.
+
+### 4.3 RuVector embeddings for room-level semantic context
+
+The Seed's RuVector 2.0.4 integration (ADR-016) maintains HNSW embeddings of CSI feature vectors. The semantic primitives (sleeping, distress, meeting, etc.) can be implemented as HNSW nearest-neighbor lookups against a learned embedding space rather than threshold classifiers — this is more robust to room geometry variation. The `embeddings_rabitq_search` tool (RaBitQ approximate NN) supports sub-millisecond search on the ESP32-S3 PSRAM-hosted index. At 8 dimensions and 1,000 stored vectors, the HNSW index occupies approximately 200 KB — comfortably within PSRAM budget.
+
+**Key sources**: [ruvllm-esp32 on libraries.io](https://libraries.io/npm/ruvllm-esp32), [ESP32-S3 TinyML optimization guide](https://zediot.com/blog/esp32-s3-tinyml-optimization/), [edge LLM deployment 2025](https://kodekx-solutions.medium.com/edge-llm-deployment-on-small-devices-the-2025-guide-2eafb7c59d07), [LoRA-Edge paper](https://arxiv.org/pdf/2511.03765).
+
+---
+
+## 5. Multi-Seed Federation
+
+### 5.1 Discovery mechanisms
+
+Three viable discovery layers for two Seeds in adjacent rooms:
+
+**mDNS**: each Seed already advertises `_ruview._tcp` and `_matter._tcp` on the LAN. A second Seed can discover the first via `mdns-sd` query at startup and register it as a peer node. The cognitum-fleet service (port 9002) already implements fleet orchestration; adding peer-to-peer node registration is an extension of that model. **Caveat**: mDNS is link-local and does not cross VLANs. For multi-VLAN deployments (common in prosumer and commercial setups), a Tailscale overlay (the project already has a fleet on Tailscale — see CLAUDE.local.md) provides routable discovery at the cost of adding the Tailscale daemon to the cog's dependency list.
+
+**Matter multi-admin**: once both Seeds are commissioned to the same Matter Fabric (e.g., via HA's Matter integration), the Fabric provides a shared namespace. However, Matter does not define a cross-device occupancy-handoff event — it only publishes per-device state. Handoff logic must live in HA automations or in the Seed cog's federation layer.
+
+**Direct ESP-NOW mesh (ADR-110)**: the C6 nodes already run ESP-NOW with 99.56% RX reliability. Two Seeds each hosting C6 nodes can use ESP-NOW as the real-time cross-node synchronization bus — one C6 detects motion entering a room, broadcasts the event over ESP-NOW, the adjacent C6 primes its detector, and the Seed coordinator reconciles the two Occupancy states. This is the lowest-latency path (sub-millisecond over ESP-NOW vs. hundreds of milliseconds over MQTT → HA automation → MQTT).
+
+### 5.2 Conflict resolution for simultaneous fall detection
+
+When two sensing nodes both fire `fall_detected=true` within a short window, the cog applies a simple deduplication rule: the detection with the higher `presence_score` wins, and a 5-second exclusion window is applied on the lower-scoring node (matching the fall debounce logic from the firmware — 3-frame consecutive + 5 s cooldown). The winner's event is forwarded to HA as the canonical fall event. The loser is recorded in the witness chain with a `DEDUP_SUPPRESSED` tag for audit.
+
+For cross-room occupancy, the cog maintains a **single-occupancy graph**: if node A detects person_count=1 and node B simultaneously detects person_count=1, and the two nodes are configured as adjacent rooms, the cog checks whether person_count in the home (sum of all node counts) is consistent with known occupant count (configurable, defaults to household size from HA's `persons` entity). Inconsistency triggers a `multi_room_transition` event published to HA rather than both nodes claiming simultaneous presence.
+
+### 5.3 Witness chain for cross-Seed events
+
+ADR-069 defines a SHA-256 tamper-evident witness chain per node. For cross-Seed events, the chain must include a cross-reference: each Seed's witness head at the time of the event is included in the other's chain entry. The cog implements this via a shared `witness_sync` MCP tool that both Seeds call before writing a cross-node event. This produces a bifurcated chain that any third party can verify for temporal consistency.
+
+**Key sources**: [Matter multi-admin guide](https://mattercoder.com/codelabs/how-to-use-multi-admin/), [ESP-NOW mesh ADR-110 witness log](../WITNESS-LOG-110.md), [HA mDNS cross-VLAN thread](https://niksa.dev/posts/ha-vlan/), [home-assistant-matter-hub mDNS issue](https://github.com/t0bst4r/home-assistant-matter-hub/issues/237).
+
+---
+
+## 6. Competitor Analysis
+
+### 6.1 Aqara FP2 and FP300
+
+**FP2** (mmWave, Wi-Fi): presence, person count (up to 5), 30 zones with 320 detection areas, fall detection. HA integration via native Zigbee or Matter (Thread firmware). Matter mode is severely limited per user testing — configurable parameters are stripped and sensitivity settings are unavailable. Zigbee mode (via Zigbee2MQTT) is the recommended HA path. **No vitals (HR/BR), no pose.** Privacy story: local processing, no cloud required for automations.
+
+**FP300** (5-in-1: mmWave + PIR + light + temperature + humidity, Matter-over-Thread): presence (binary only), temperature, humidity, light level. No person count, no fall detection, no vitals. Thread firmware gives 5 HA entities. Matter mode is functional but configuration-limited. Battery-powered (2× CR2450, ~2 years in Thread mode). **Verdict**: Aqara's Matter story is hardware-first but software-limited. Their Matter device class choice is `OccupancySensor` with standard PIR/Radar bitmap — no `RFSensing` flag.
+
+### 6.2 TOMMY (tommysense.com)
+
+Wi-Fi CSI sensing for HA. Uses ESP32 nodes. Exposes zones as binary sensors (MQTT, port 1886) and as Matter `OccupancySensor` endpoints (QR-based pairing). Motion and presence only — no vitals, no pose, no fall detection. Privacy: fully local, one periodic license-check outbound call. Closed-source algorithm and firmware; open-source HA integration. **Pricing**: free trial (1 zone, 2-min pause per 2 min of detection), Pro (unlimited zones, continuous). **Key gap vs RuView**: no HR/BR, no pose keypoints, no fall detection, no witness chain, no SONA adaptation.
+
+### 6.3 ESPectre (github.com/francescopace/espectre)
+
+Open-source CSI motion detection with HA integration (HACS). ESP32-only. Motion detection via RSSI phase variance analysis — no person counting, no vitals, no fall detection. Python-based HA custom component. No Matter support. **Verdict**: proof-of-concept quality; not a commercial competitor but demonstrates demand for the HACS distribution path.
+
+### 6.4 Frigate NVR
+
+Video-based local AI NVR. MQTT integration with HA creates binary sensors (`binary_sensor.frigate_<camera>_person_motion`), person count sensors, and clip/snapshot sensors per camera. All inference on-device (Coral EdgeTPU or Hailo). **Privacy**: fully local, no cloud. Frigate's MQTT entity catalog per camera: 1 camera stream entity, N object detection binary sensors (person, car, dog, etc.), N object count sensors. No vitals, no pose skeleton. Matter support: none in Frigate itself. **Key privacy contrast vs RuView**: Frigate requires cameras (video pixels), RuView uses RF only — privacy advantage in bedrooms, bathrooms, and care settings.
+
+### 6.5 RoomMe (Intellithings)
+
+Bluetooth LE room presence using smartphone proximity. Supports HomeKit and some smart-device ecosystems. No native HA integration, no MQTT, no Matter. High per-unit cost ($69). No vitals, no fall detection. Not a real competitor for the CSI/mmWave presence category.
+
+### 6.6 Competitor entity catalog comparison
+
+| Feature | RuView (ADR-115) | Aqara FP2 | Aqara FP300 | TOMMY | Frigate |
+|---|---|---|---|---|---|
+| Presence (binary) | yes | yes | yes | yes | yes (person class) |
+| Person count | yes | yes (5 max) | no | no | yes (per class) |
+| HR / BR | yes | no | no | no | no |
+| Pose keypoints | yes (17-pt) | no | no | no | no |
+| Fall detection | yes | yes | no | no | no |
+| Semantic primitives | yes (10) | no | no | no | no |
+| Multi-room handoff | yes (cog) | no | no | no | no |
+| Privacy mode | yes (wire-strip) | local only | local only | local only | local only |
+| HACS integration | roadmap | no | no | yes | yes |
+| Matter native | yes (bridge) | yes (limited) | yes | yes | no |
+| Witness chain | yes | no | no | no | no |
+
+**Key sources**: [Aqara FP300 HA review](https://www.derekseaman.com/2025/11/aqara-fp300-the-ultimate-presence-sensor-home-assistant-edition.html), [TOMMY product page](https://www.tommysense.com/), [ESPectre GitHub](https://github.com/francescopace/espectre), [Frigate NVR docs](https://frigate.video/), [mmWave presence sensors 2026 comparison](https://www.linknlink.com/blogs/guides/best-mmwave-presence-sensors-home-assistant-2026).
+
+---
+
+## 7. Regulatory Frontier
+
+### 7.1 FDA classification landscape (2026 update)
+
+The FDA issued updated General Wellness Device guidance on January 6, 2026. Key clarifications relevant to WiFi-DensePose:
+
+**Wellness device criteria** (functions that keep the product outside FDA jurisdiction): the device must (a) have low inherent risk to user safety, (b) make no reference to specific diseases or conditions, and (c) not provide diagnostic or treatment outputs. Examples in the guidance: heart rate monitoring, sleep tracking, activity/recovery metrics, oxygen saturation trends — all qualify as wellness when marketed without diagnostic claims.
+
+**Claims that trigger medical device classification**: any output labeled as "abnormal, pathological, or diagnostic"; recommendations concerning clinical thresholds or treatment; ongoing clinical monitoring or alerts for medical management; substitution for an FDA-approved device. A fall detection feature framed as "alert a caregiver when you might have fallen" is materially different from one framed as "diagnose fall injury" — the former qualifies as wellness under the 2026 guidance; the latter does not.
+
+**The defensible wellness-device position for RuView**: (a) market fall detection as an "activity anomaly notification" not a "medical fall diagnosis"; (b) include explicit disclaimers against diagnostic or clinical use in app-store descriptions, labeling, and HA integration documentation; (c) avoid "medical-grade" accuracy claims for HR/BR readings; (d) position the device as a "smart home occupancy and wellness assistant" rather than a "patient monitoring system."
+
+### 7.2 HIPAA applicability
+
+HIPAA applies only when an entity is a HIPAA "covered entity" (healthcare providers, health plans, clearinghouses) or their "business associate." A consumer smart home product sold direct-to-homeowners is not automatically a covered entity. However, HIPAA applicability is triggered if the Seed's data flows into a covered entity's system (e.g., a care facility's EHR). The privacy-mode flag in ADR-115 (stripping HR/BR/pose at the wire, publishing only semantic state digests) creates a technical barrier to PHI transmission that supports a "not a covered entity" position.
+
+**All 50 US states** impose data breach notification requirements regardless of HIPAA status. The witness chain (SHA-256 tamper-evident audit log per node) satisfies most state-level data-integrity requirements.
+
+### 7.3 Matter Health-Check device class
+
+Matter currently has no "Health" or "Wellness" device class in the formal taxonomy. The closest is `OccupancySensor` with the `RFSensing` feature flag. The device type `0x0107` (OccupancySensor) in the DCL will not trigger any health-device regulatory scrutiny. Using this device type keeps the Seed in the same regulatory category as a smart motion sensor — well outside the medical device perimeter.
+
+**Key sources**: [FDA 2026 General Wellness guidance (Kendall PC)](https://kendallpc.com/fdas-2026-guidance-on-general-wellness-devices-policy-for-low-risk-devices-key-compliance-and-regulatory-insights-for-digital-health-companies/), [Troutman Pepper Locke analysis](https://www.troutman.com/insights/fdas-2026-guidance-on-general-wellness-devices-policy-for-low-risk-devices/), [IEEE Spectrum FDA device rules](https://spectrum.ieee.org/fda-medical-device-rules), [FDA wellness tracker / cybersecurity interlock (Troutman)](https://www.troutman.com/insights/wellness-trackers-medical-status-and-cybersecurity-how-fda-ftc-and-state-laws-interlock/).
+
+---
+
+## 8. Frontier Features Worth Shipping
+
+### 8.1 HACS marketplace listing
+
+**Build cost**: medium (4–6 weeks for a gold-tier integration). **User impact**: very high — one-click install removes the MQTT broker prerequisite for non-power-users.
+
+Architecture: Python package at `custom_components/wifi_densepose/`, config flow that discovers Seeds via mDNS (`_ruview._tcp`) or manual IP, bearer token authentication against `GET /api/v1/status`, full entity catalog matching ADR-115 §3.1 (21 entities per node), repairs for offline nodes, diagnostics export, translations for EN/FR/DE/ES. Start from `hacs.integration_blueprint` template. Submit via HACS default repositories GitHub submission.
+
+### 8.2 Matter Bridge with OccupancySensor / ContactSensor / BooleanState
+
+**Build cost**: high (6–8 weeks including CI test harness with chip-tool simulator). **User impact**: high for Apple Home / Google Home users who don't run HA.
+
+Device type mapping:
+- Presence → `OccupancySensor (0x0107)` with `OccupancySensing (0x0406)`, `RFSensing` feature flag set, `HoldTime` attribute wired to sensing-server's zone dwell time.
+- Fall detected → `ContactSensor (0x0015)` used as event source (state: `true` for 5 s after fall, then auto-reset) — closest available device type until a FallEvent device type exists in the spec.
+- Person count → vendor-specific attribute on the Bridge root endpoint (`VendorSpecificAttributeCount`, cluster 0xFFF1_xxxx namespace).
+
+Memory on S3: baseline Matter stack ~1.5 MB flash, ~195 KB DRAM + PSRAM heap; BLE freed post-commissioning recovers ~100 KB. 16 dynamic endpoints (default maximum, configurable per `NUM_DYNAMIC_ENDPOINTS`) costs ~550 bytes DRAM each. For 8 zones: 8 × 550 = 4.4 KB additional DRAM — well within budget. Wi-Fi-only commissioning (Matter 1.4.2) eliminates BLE requirement, simplifying the Seed hardware path.
+
+### 8.3 Cognitum Seed cog manifest + signing
+
+**Build cost**: low (1–2 weeks). **User impact**: enables one-tap install from the Cognitum Seed store.
+
+Manifest structure (based on ADR-069/ADR-100 patterns):
+```json
+{
+  "id": "cog-ha-matter-v1",
+  "version": "1.0.0",
+  "platforms": ["aarch64", "x86_64"],
+  "min_seed_version": "0.8.1",
+  "capabilities": ["network.mqtt", "network.matter", "api.ruview_vitals"],
+  "resource_budget": {"ram_mb": 128, "cpu_percent": 15},
+  "signing_key_id": "ed25519:ruv-cog-signing-v1",
+  "registry_url": "https://seed.cognitum.one/store/cog-ha-matter",
+  "ha_integration_repo": "https://github.com/ruvnet/hass-wifi-densepose"
+}
+```
+Binary signing uses the existing Ed25519 keypair infrastructure from ADR-100. The `cognitum-ota-registry` (port 9003) handles delivery. The cog declaration includes the companion HACS integration GitHub URL so the Seed UI can prompt the user to install the HACS companion if they have HA detected on the LAN.
+
+### 8.4 Local SONA fine-tuning loop for per-home thresholds
+
+**Build cost**: low (2–3 weeks, given ruvllm-esp32 already provides the primitives). **User impact**: high — eliminates false positives that are the top complaint for presence/fall sensors in HA forums.
+
+Implementation: HA sends feedback events via an MQTT command topic (`homeassistant/wifi_densepose/<node>/cmd/feedback`). The cog's SONA adapter processes the feedback as a labeled training example and runs one gradient step. After 20 feedback events, it triggers a witness-chain-attested weight checkpoint. The HACS integration surfaces this as a "Improve detection accuracy" button in the HA device page, pointing users to a simple thumbs-up/thumbs-down UI on the last 10 events.
+
+### 8.5 Multi-room presence handoff
+
+**Build cost**: medium (3–4 weeks). **User impact**: high — eliminates the "ghost occupancy" problem where HA thinks two rooms are occupied when a person walks from one to the other.
+
+Implementation: the cog runs a presence graph across all Seeds in the fleet. Nodes declare themselves adjacent via the manifest or via HA area assignment. When person_count transitions (room A: 1→0, room B: 0→1) within a configurable window (default 3 s), the cog publishes a single `multi_room_transition` event to HA with `from_zone` and `to_zone` fields, and holds the `person_count=1` in the destination room rather than briefly showing 0 in both. This is a cog-side state machine, not an HA automation — it runs at 20 Hz loop cadence.
+
+### 8.6 Energy disaggregation: pairing vitals with HA energy entities
+
+**Build cost**: medium (3–4 weeks). **User impact**: medium-high for sustainability-focused users.
+
+Non-Intrusive Load Monitoring (NILM) in HA already exists as a community blueprint (github.com/tronikos NILM blueprint). The opportunity for RuView is the inverse: rather than using energy to infer occupancy, use RuView's presence data to validate NILM's occupancy assumptions. When RuView reports presence_score < 0.1 (no one home) but the NILM model predicts an active appliance load inconsistent with unoccupied state (e.g., a TV left on), HA can surface a "phantom load detected" notification. The cog publishes a `phantom_load_candidate` event when this condition holds for more than 5 minutes. Pairs with HA's Energy dashboard (introduced in 2021, stable since 2023) and the `homeassistant/sensor/<node>/phantom_load/config` MQTT discovery topic.
+
+### 8.7 Privacy-mode "audit logs only"
+
+**Build cost**: low (1 week, extends existing `--privacy-mode` flag from ADR-115). **User impact**: high for HIPAA-adjacent deployments (care facilities, eldercare) and for GDPR-jurisdiction users.
+
+Three privacy tiers:
+- `none`: full telemetry (HR, BR, pose, presence, count) published to MQTT and Matter.
+- `semantic` (default): HR/BR/pose stripped at wire; semantic primitives (10 states) published only.
+- `audit-only`: no MQTT state messages; only SHA-256 digests of events logged to the witness chain on the Seed. HA receives heartbeat-only availability messages. Suitable for deployments where the home network is untrusted or subject to external logging.
+
+The audit-only mode is a defensible HIPAA/GDPR position for integrators deploying in care settings — the Seed holds the event record, the network carries nothing personally identifiable.
+
+---
+
+## Recommended Scope for HA+Matter Cog v1
+
+Ranked by **build cost × user impact** (low cost + high impact first):
+
+| Priority | Feature | Build effort | User impact | Ships in |
+|---|---|---|---|---|
+| 1 | **Privacy-mode audit-only tier** (§8.7) | 1 week | High (care/GDPR deployments) | v0.7.1 |
+| 2 | **Seed cog manifest + signing** (§8.3) | 1–2 weeks | High (Seed store distribution) | v0.7.1 |
+| 3 | **Local SONA fine-tuning loop** (§8.4) | 2–3 weeks | High (false-positive reduction) | v0.7.1 |
+| 4 | **HACS integration (gold tier)** (§8.1) | 4–6 weeks | Very high (removes MQTT prereq) | v0.7.2 |
+| 5 | **Multi-room presence handoff** (§8.5) | 3–4 weeks | High (ghost occupancy fix) | v0.7.2 |
+| 6 | **Matter Bridge OccupancySensor + ContactSensor** (§8.2) | 6–8 weeks | High (Apple/Google Home reach) | v0.8.0 |
+| 7 | **Energy disaggregation phantom-load** (§8.6) | 3–4 weeks | Medium-high (sustainability niche) | v0.8.0 |
+| 8 | **Thread Border Router on C6** (§1.2) | 2–3 weeks (config only) | Medium (Thread-fabric users) | v0.8.0 |
+| 9 | **CSA Matter certification** (§1.4) | $30–42k + 3–6 months | Medium (commercial badge) | post-v1.0 |
+
+**Deferred**: Seed-as-Matter-Commissioner (feasible on S3 appliance but requires full chip-tool port; defer to v1.0), full HA quality-scale platinum tier (gold is sufficient for v1 HACS listing), NILM phantom-load (ships as experimental blueprint first, then proper integration).
+
+**Recommended v0.7.1 sprint**: privacy-mode audit tier + cog manifest + SONA fine-tuning = 4–5 weeks total, fully within the existing Rust + ESP32 codebase with no new dependencies. This sprint closes the most impactful gap (care deployments + per-home personalization) before the heavier HACS/Matter work begins.
+
+---
+
+*Research methodology: 8 parallel web search passes, 12 targeted page fetches, cross-referenced against ADR-115 and ADR-110 source files. Evidence grade: High for Matter cluster specifications, FDA guidance, HACS requirements, and ESP32-S3 memory numbers. Medium for CSA certification cost estimates (sourced from forum discussion, not official price list). Low for ruvllm SONA per-home fine-tuning feasibility (derived from library documentation, not benchmarked on Seed hardware). Open question: whether ESP32-S3 PSRAM heap is sufficient for the full Matter Bridge stack alongside the existing sensing-server runtime — a build-and-measure step is needed before committing to the v0.8.0 Matter bridge sprint.*

v2/Cargo.lock

@@ -929,6 +929,24 @@ version = "1.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3a822ea5bc7590f9d40f1ba12c0dc3c2760f3482c6984db1573ad11031420831"
 
+[[package]]
+name = "cog-ha-matter"
+version = "0.3.0"
+dependencies = [
+ "clap",
+ "ed25519-dalek",
+ "serde",
+ "serde_json",
+ "sha2",
+ "tempfile",
+ "thiserror 1.0.69",
+ "tokio",
+ "tracing",
+ "tracing-subscriber",
+ "wifi-densepose-hardware",
+ "wifi-densepose-sensing-server",
+]
+
 [[package]]
 name = "cog-person-count"
 version = "0.3.0"
@@ -1057,6 +1075,12 @@ dependencies = [
  "wasm-bindgen",
 ]
 
+[[package]]
+name = "const-oid"
+version = "0.9.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "c2459377285ad874054d797f3ccebf984978aa39129f6eafde5cdc8315b612f8"
+
 [[package]]
 name = "constant_time_eq"
 version = "0.1.5"
@@ -1350,6 +1374,33 @@ dependencies = [
  "libloading 0.9.0",
 ]
 
+[[package]]
+name = "curve25519-dalek"
+version = "4.1.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "97fb8b7c4503de7d6ae7b42ab72a5a59857b4c937ec27a3d4539dba95b5ab2be"
+dependencies = [
+ "cfg-if",
+ "cpufeatures",
+ "curve25519-dalek-derive",
+ "digest",
+ "fiat-crypto",
+ "rustc_version",
+ "subtle",
+ "zeroize",
+]
+
+[[package]]
+name = "curve25519-dalek-derive"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f46882e17999c6cc590af592290432be3bce0428cb0d5f8b6715e4dc7b383eb3"
+dependencies = [
+ "proc-macro2",
+ "quote",
+ "syn 2.0.117",
+]
+
 [[package]]
 name = "darling"
 version = "0.21.3"
@@ -1411,6 +1462,7 @@ version = "0.7.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e7c1832837b905bbfb5101e07cc24c8deddf52f93225eee6ead5f4d63d53ddcb"
 dependencies = [
+ "const-oid",
  "pem-rfc7468",
  "zeroize",
 ]
@@ -1505,7 +1557,7 @@ dependencies = [
  "libc",
  "option-ext",
  "redox_users 0.5.2",
- "windows-sys 0.59.0",
+ "windows-sys 0.61.2",
 ]
 
 [[package]]
@@ -1626,6 +1678,30 @@ dependencies = [
  "num-traits",
 ]
 
+[[package]]
+name = "ed25519"
+version = "2.2.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "115531babc129696a58c64a4fef0a8bf9e9698629fb97e9e40767d235cfbcd53"
+dependencies = [
+ "pkcs8",
+ "signature",
+]
+
+[[package]]
+name = "ed25519-dalek"
+version = "2.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "70e796c081cee67dc755e1a36a0a172b897fab85fc3f6bc48307991f64e4eca9"
+dependencies = [
+ "curve25519-dalek",
+ "ed25519",
+ "serde",
+ "sha2",
+ "subtle",
+ "zeroize",
+]
+
 [[package]]
 name = "either"
 version = "1.15.0"
@@ -1726,7 +1802,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "39cab71617ae0d63f51a36d69f866391735b51691dbda63cf6f96d042b63efeb"
 dependencies = [
  "libc",
- "windows-sys 0.59.0",
+ "windows-sys 0.61.2",
 ]
 
 [[package]]
@@ -1756,6 +1832,12 @@ dependencies = [
  "simd-adler32",
 ]
 
+[[package]]
+name = "fiat-crypto"
+version = "0.2.9"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "28dea519a9695b9977216879a3ebfddf92f1c08c05d984f8996aecd6ecdc811d"
+
 [[package]]
 name = "field-offset"
 version = "0.3.6"
@@ -3098,7 +3180,7 @@ dependencies = [
  "hyper 0.14.32",
  "rustls 0.21.12",
  "tokio",
- "tokio-rustls",
+ "tokio-rustls 0.24.1",
 ]
 
 [[package]]
@@ -3134,7 +3216,7 @@ dependencies = [
  "libc",
  "percent-encoding",
  "pin-project-lite",
- "socket2 0.5.10",
+ "socket2 0.6.2",
  "tokio",
  "tower-service",
  "tracing",
@@ -3395,7 +3477,7 @@ checksum = "3640c1c38b8e4e43584d8df18be5fc6b0aa314ce6ebf51b53313d4306cca8e46"
 dependencies = [
  "hermit-abi",
  "libc",
- "windows-sys 0.59.0",
+ "windows-sys 0.61.2",
 ]
 
 [[package]]
@@ -4102,10 +4184,10 @@ dependencies = [
  "libc",
  "log",
  "openssl",
- "openssl-probe",
+ "openssl-probe 0.2.1",
  "openssl-sys",
  "schannel",
- "security-framework",
+ "security-framework 3.7.0",
  "security-framework-sys",
  "tempfile",
 ]
@@ -4296,7 +4378,7 @@ version = "0.50.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7957b9740744892f114936ab4a57b3f487491bbeafaf8083688b16841a4240e5"
 dependencies = [
- "windows-sys 0.59.0",
+ "windows-sys 0.61.2",
 ]
 
 [[package]]
@@ -4661,6 +4743,12 @@ dependencies = [
  "syn 2.0.117",
 ]
 
+[[package]]
+name = "openssl-probe"
+version = "0.1.6"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d05e27ee213611ffe7d6348b942e8f942b37114c00cc03cec254295a4a17852e"
+
 [[package]]
 name = "openssl-probe"
 version = "0.2.1"
@@ -4725,7 +4813,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7d8fae84b431384b68627d0f9b3b1245fcf9f46f6c0e3dc902e9dce64edd1967"
 dependencies = [
  "libc",
- "windows-sys 0.45.0",
+ "windows-sys 0.61.2",
 ]
 
 [[package]]
@@ -5074,6 +5162,16 @@ version = "0.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8b870d8c151b6f2fb93e84a13146138f05d02ed11c7e7c54f8826aaaf7c9f184"
 
+[[package]]
+name = "pkcs8"
+version = "0.10.2"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "f950b2377845cebe5cf8b5165cb3cc1a5e0fa5cfa3e1f7f55707d8fd82e0a7b7"
+dependencies = [
+ "der",
+ "spki",
+]
+
 [[package]]
 name = "pkg-config"
 version = "0.3.32"
@@ -5469,7 +5567,7 @@ dependencies = [
  "quinn-udp",
  "rustc-hash",
  "rustls 0.23.37",
- "socket2 0.5.10",
+ "socket2 0.6.2",
  "thiserror 2.0.18",
  "tokio",
  "tracing",
@@ -5508,9 +5606,9 @@ dependencies = [
  "cfg_aliases",
  "libc",
  "once_cell",
- "socket2 0.5.10",
+ "socket2 0.6.2",
  "tracing",
- "windows-sys 0.59.0",
+ "windows-sys 0.60.2",
 ]
 
 [[package]]
@@ -5875,14 +5973,14 @@ dependencies = [
  "percent-encoding",
  "pin-project-lite",
  "rustls 0.21.12",
- "rustls-pemfile",
+ "rustls-pemfile 1.0.4",
  "serde",
  "serde_json",
  "serde_urlencoded",
  "sync_wrapper 0.1.2",
  "system-configuration",
  "tokio",
- "tokio-rustls",
+ "tokio-rustls 0.24.1",
  "tower-service",
  "url",
  "wasm-bindgen",
@@ -6109,6 +6207,24 @@ dependencies = [
  "smallvec",
 ]
 
+[[package]]
+name = "rumqttc"
+version = "0.24.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e1568e15fab2d546f940ed3a21f48bbbd1c494c90c99c4481339364a497f94a9"
+dependencies = [
+ "bytes",
+ "flume",
+ "futures-util",
+ "log",
+ "rustls-native-certs 0.7.3",
+ "rustls-pemfile 2.2.0",
+ "rustls-webpki 0.102.8",
+ "thiserror 1.0.69",
+ "tokio",
+ "tokio-rustls 0.25.0",
+]
+
 [[package]]
 name = "rustc-hash"
 version = "2.1.1"
@@ -6148,7 +6264,7 @@ dependencies = [
  "errno",
  "libc",
  "linux-raw-sys",
- "windows-sys 0.59.0",
+ "windows-sys 0.61.2",
 ]
 
 [[package]]
@@ -6163,6 +6279,20 @@ dependencies = [
  "sct",
 ]
 
+[[package]]
+name = "rustls"
+version = "0.22.4"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "bf4ef73721ac7bcd79b2b315da7779d8fc09718c6b3d2d1b2d94850eb8c18432"
+dependencies = [
+ "log",
+ "ring",
+ "rustls-pki-types",
+ "rustls-webpki 0.102.8",
+ "subtle",
+ "zeroize",
+]
+
 [[package]]
 name = "rustls"
 version = "0.23.37"
@@ -6178,16 +6308,29 @@ dependencies = [
  "zeroize",
 ]
 
+[[package]]
+name = "rustls-native-certs"
+version = "0.7.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "e5bfb394eeed242e909609f56089eecfe5fda225042e8b171791b9c95f5931e5"
+dependencies = [
+ "openssl-probe 0.1.6",
+ "rustls-pemfile 2.2.0",
+ "rustls-pki-types",
+ "schannel",
+ "security-framework 2.11.1",
+]
+
 [[package]]
 name = "rustls-native-certs"
 version = "0.8.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "612460d5f7bea540c490b2b6395d8e34a953e52b491accd6c86c8164c5932a63"
 dependencies = [
- "openssl-probe",
+ "openssl-probe 0.2.1",
  "rustls-pki-types",
  "schannel",
- "security-framework",
+ "security-framework 3.7.0",
 ]
 
 [[package]]
@@ -6199,6 +6342,15 @@ dependencies = [
  "base64 0.21.7",
 ]
 
+[[package]]
+name = "rustls-pemfile"
+version = "2.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "dce314e5fee3f39953d46bb63bb8a46d40c2f8fb7cc5a3b6cab2bde9721d6e50"
+dependencies = [
+ "rustls-pki-types",
+]
+
 [[package]]
 name = "rustls-pki-types"
 version = "1.14.0"
@@ -6221,13 +6373,13 @@ dependencies = [
  "log",
  "once_cell",
  "rustls 0.23.37",
- "rustls-native-certs",
+ "rustls-native-certs 0.8.3",
  "rustls-platform-verifier-android",
  "rustls-webpki 0.103.13",
- "security-framework",
+ "security-framework 3.7.0",
  "security-framework-sys",
  "webpki-root-certs",
- "windows-sys 0.59.0",
+ "windows-sys 0.61.2",
 ]
 
 [[package]]
@@ -6246,6 +6398,17 @@ dependencies = [
  "untrusted",
 ]
 
+[[package]]
+name = "rustls-webpki"
+version = "0.102.8"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "64ca1bc8749bd4cf37b5ce386cc146580777b4e8572c7b97baf22c83f444bee9"
+dependencies = [
+ "ring",
+ "rustls-pki-types",
+ "untrusted",
+]
+
 [[package]]
 name = "rustls-webpki"
 version = "0.103.13"
@@ -6548,6 +6711,19 @@ dependencies = [
  "untrusted",
 ]
 
+[[package]]
+name = "security-framework"
+version = "2.11.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "897b2245f0b511c87893af39b033e5ca9cce68824c4d7e7630b5a1d339658d02"
+dependencies = [
+ "bitflags 2.11.0",
+ "core-foundation 0.9.4",
+ "core-foundation-sys",
+ "libc",
+ "security-framework-sys",
+]
+
 [[package]]
 name = "security-framework"
 version = "3.7.0"
@@ -6895,6 +7071,15 @@ dependencies = [
  "libc",
 ]
 
+[[package]]
+name = "signature"
+version = "2.2.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "77549399552de45a898a580c1b41d445bf730df867cc44e6c0233bbc4b8329de"
+dependencies = [
+ "rand_core 0.6.4",
+]
+
 [[package]]
 name = "simba"
 version = "0.9.1"
@@ -7053,6 +7238,16 @@ dependencies = [
  "lock_api",
 ]
 
+[[package]]
+name = "spki"
+version = "0.7.3"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "d91ed6c858b01f942cd56b37a94b3e0a1798290327d1236e4d9cf4eaca44d29d"
+dependencies = [
+ "base64ct",
+ "der",
+]
+
 [[package]]
 name = "stable_deref_trait"
 version = "1.2.1"
@@ -7650,7 +7845,7 @@ dependencies = [
  "getrandom 0.4.1",
  "once_cell",
  "rustix",
- "windows-sys 0.59.0",
+ "windows-sys 0.61.2",
 ]
 
 [[package]]
@@ -7843,6 +8038,17 @@ dependencies = [
  "tokio",
 ]
 
+[[package]]
+name = "tokio-rustls"
+version = "0.25.0"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "775e0c0f0adb3a2f22a00c4745d728b479985fc15ee7ca6a2608388c5569860f"
+dependencies = [
+ "rustls 0.22.4",
+ "rustls-pki-types",
+ "tokio",
+]
+
 [[package]]
 name = "tokio-serial"
 version = "5.4.5"
@@ -9125,9 +9331,12 @@ dependencies = [
  "axum",
  "chrono",
  "clap",
+ "criterion",
  "futures-util",
  "midstreamer-attractor",
  "midstreamer-temporal-compare",
+ "proptest",
+ "rumqttc",
  "ruvector-mincut",
  "serde",
  "serde_json",
@@ -9270,7 +9479,7 @@ version = "0.1.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c2a7b1c03c876122aa43f3020e6c3c3ee5c05081c9a00739faf7503aeba10d22"
 dependencies = [
- "windows-sys 0.48.0",
+ "windows-sys 0.61.2",
 ]
 
 [[package]]

v2/Cargo.toml

@@ -38,6 +38,10 @@ members = [
     # PR #491 slot heuristic with a Candle network + Stoer-Wagner fusion.
     # Motivated by #499 ghost-skeleton reports.
     "crates/cog-person-count",
+    # ADR-116: Home Assistant + Matter Cognitum Seed cog. Wraps the
+    # ADR-115 MQTT publisher as a Seed-installable artifact with
+    # mDNS, embedded broker, RuVector thresholds, Ed25519 witness.
+    "crates/cog-ha-matter",
     # rvCSI — edge RF sensing runtime (ADR-095 platform, ADR-096 FFI/crate layout):
     # lives in its own repo (https://github.com/ruvnet/rvcsi), vendored here as
     # `vendor/rvcsi` and published to crates.io as `rvcsi-*` 0.3.x. Depend on the

v2/crates/cog-ha-matter/Cargo.toml

@@ -0,0 +1,45 @@
+[package]
+name = "cog-ha-matter"
+version.workspace = true
+edition.workspace = true
+authors.workspace = true
+license.workspace = true
+repository.workspace = true
+description = "Cognitum Cog: Home Assistant + Matter integration for the Seed (ADR-116). Wraps ADR-115's HA-DISCO + HA-MIND publisher as a Seed-installable artifact with mDNS, embedded broker, RuVector-backed thresholds, and Ed25519 witness."
+publish = false
+
+[[bin]]
+name = "cog-ha-matter"
+path = "src/main.rs"
+
+[lib]
+name = "cog_ha_matter"
+path = "src/lib.rs"
+
+[dependencies]
+# CLI + logging — same shape as cog-pose-estimation (ADR-101).
+clap = { version = "4", features = ["derive"] }
+serde = { version = "1", features = ["derive"] }
+serde_json = "1"
+thiserror = "1"
+tracing = "0.1"
+tracing-subscriber = { version = "0.3", features = ["env-filter", "json"] }
+
+# Async runtime for the publisher + mDNS responder + WebSocket pump.
+tokio = { workspace = true, features = ["full"] }
+
+# ADR-115 publisher is the heart of this cog — we wrap it.
+# default-features = false matches the sensing-server's pattern.
+wifi-densepose-sensing-server = { version = "0.3.0", path = "../wifi-densepose-sensing-server", default-features = false, features = ["mqtt"] }
+
+# Hardware crate for SyncPacket + NodeState bridging (ADR-110 substrate).
+wifi-densepose-hardware = { version = "0.3.0", path = "../wifi-densepose-hardware" }
+
+# Witness chain (ADR-116 P4): SHA-256 hash chain + Ed25519 signature
+# layer for tamper-evident audit logs (ADR-116 §2.2). Same version
+# already vetted by ruv-neural — keep them aligned.
+sha2 = { workspace = true }
+ed25519-dalek = "2.1"
+
+[dev-dependencies]
+tempfile = "3.10"

v2/crates/cog-ha-matter/src/lib.rs

@@ -0,0 +1,46 @@
+//! ADR-116 — Home Assistant + Matter Cognitum Seed cog.
+//!
+//! This crate is the Seed-installable wrapper around ADR-115's
+//! `wifi-densepose-sensing-server::mqtt` publisher. It adds the
+//! Seed-native surfaces ADR-115's `--mqtt` flag can't easily reach:
+//!
+//! 1. **mDNS service advertisement** — `_ruview-ha._tcp` so HA discovers
+//!    the cog automatically (no manual broker host/port config).
+//! 2. **Optional embedded MQTT broker** — for Seeds running without an
+//!    external mosquitto. Defaults to off; the cog can either embed
+//!    rumqttd or connect to a user-provided broker.
+//! 3. **RuVector-backed semantic-primitive thresholds** — replaces
+//!    static `semantic-thresholds.yaml` with a SONA-adapted RuVector
+//!    inference. Per-home thresholds learned from the Seed's own
+//!    long-term observation stream.
+//! 4. **Ed25519 witness chain** — every state transition signed so
+//!    regulated deployments (healthcare, education, shared housing)
+//!    have a tamper-evident audit log.
+//! 5. **Multi-Seed federation** — peer discovery via mDNS + cross-Seed
+//!    event deduplication keyed on ADR-110's ≤100 µs mesh-aligned
+//!    timestamps. One fall in a shared room emits one alert, not N.
+//! 6. **OTA firmware coordination** — the cog manages C6 firmware
+//!    rollouts for ESP32-C6 nodes in the local mesh.
+//!
+//! The cog binary entrypoint is in `bin/main.rs`. Library modules
+//! below are intentionally small and testable per the /loop-worker
+//! discipline rules (see `docs/ADR-110-BRANCH-STATE.md`).
+
+pub mod manifest;
+pub mod mdns;
+pub mod runtime;
+pub mod witness;
+pub mod witness_signing;
+
+/// Cog identifier used in Seed's app-registry.json + the manifest.
+pub const COG_ID: &str = "ha-matter";
+
+/// mDNS service type advertised when the cog starts.
+pub const MDNS_SERVICE_TYPE: &str = "_ruview-ha._tcp";
+
+/// Default port for the cog's local HTTP control surface (`/health`,
+/// `/api/v1/cog/status`). Distinct from the MQTT broker port.
+pub const DEFAULT_CONTROL_PORT: u16 = 9180;
+
+/// Default port for the embedded MQTT broker, when enabled.
+pub const DEFAULT_EMBEDDED_BROKER_PORT: u16 = 1883;

v2/crates/cog-ha-matter/src/main.rs

@@ -0,0 +1,129 @@
+//! `cog-ha-matter` — Home Assistant + Matter Cognitum Seed cog (ADR-116).
+//!
+//! Binary entrypoint. The actual wiring lives in [`cog_ha_matter`] —
+//! this main.rs is intentionally tiny so the cog runtime can call
+//! into the library from tests and from the Seed's control plane
+//! integration tests without re-launching the binary.
+
+use std::process::ExitCode;
+
+use clap::Parser;
+use cog_ha_matter::runtime;
+use tokio::sync::broadcast;
+use tracing::{info, warn};
+use wifi_densepose_sensing_server::mqtt::state::VitalsSnapshot;
+
+#[derive(Parser, Debug)]
+#[command(
+    name = "cog-ha-matter",
+    version,
+    about = "Home Assistant + Matter Cognitum Seed cog",
+    long_about = "Wraps the ADR-115 HA-DISCO + HA-MIND publisher as a \
+                  Seed-installable artifact with mDNS, embedded broker, \
+                  RuVector-backed thresholds, and Ed25519 witness. See \
+                  docs/adr/ADR-116-cog-ha-matter-seed.md for the design."
+)]
+struct Args {
+    /// Where to find the local sensing-server (the cog speaks to it
+    /// to pull `VitalsSnapshot` for republication over MQTT/Matter).
+    #[arg(long, default_value = "http://127.0.0.1:3000")]
+    sensing_url: String,
+
+    /// MQTT broker host. When omitted the cog can spin up an embedded
+    /// rumqttd on `DEFAULT_EMBEDDED_BROKER_PORT` (v1: external only).
+    #[arg(long, default_value = "127.0.0.1")]
+    mqtt_host: String,
+
+    /// MQTT broker port.
+    #[arg(long, default_value_t = cog_ha_matter::DEFAULT_EMBEDDED_BROKER_PORT)]
+    mqtt_port: u16,
+
+    /// Strip biometrics at the wire — only semantic primitives published.
+    /// Matches ADR-115 `--privacy-mode`. The right default for any
+    /// deployment with non-tenant occupants.
+    #[arg(long)]
+    privacy_mode: bool,
+
+    /// Print the manifest the cog would self-report to the Seed's
+    /// control plane and exit. Useful for the build-time signer.
+    #[arg(long)]
+    print_manifest: bool,
+}
+
+#[tokio::main]
+async fn main() -> ExitCode {
+    tracing_subscriber::fmt()
+        .with_env_filter(
+            tracing_subscriber::EnvFilter::try_from_default_env()
+                .unwrap_or_else(|_| "cog_ha_matter=info,info".into()),
+        )
+        .init();
+
+    let args = Args::parse();
+
+    info!(
+        sensing_url = %args.sensing_url,
+        mqtt = format!("{}:{}", args.mqtt_host, args.mqtt_port),
+        privacy = args.privacy_mode,
+        "cog-ha-matter starting (ADR-116 P2 scaffold)"
+    );
+
+    if args.print_manifest {
+        // Emit the manifest with build-time-template placeholders. The
+        // Makefile substitutes {{VERSION}} / {{ARCH}} before signing.
+        let m = cog_ha_matter::manifest::CogManifest {
+            id: cog_ha_matter::COG_ID.into(),
+            version: env!("CARGO_PKG_VERSION").into(),
+            binary_url:
+                "https://storage.googleapis.com/cognitum-apps/cogs/{{ARCH}}/cog-ha-matter-{{ARCH}}"
+                    .into(),
+            binary_bytes: 0,
+            binary_sha256: String::new(),
+            binary_signature: String::new(),
+            installed_at: 0,
+            status: "installed".into(),
+        };
+        println!(
+            "{}",
+            serde_json::to_string_pretty(&m).expect("manifest serialization is infallible")
+        );
+        return ExitCode::SUCCESS;
+    }
+
+    // P3: boot the ADR-115 publisher. The broadcast tx is held by
+    // main so the channel doesn't close before the sensing-server
+    // bridge (next iter) wires its VitalsSnapshot producer in.
+    let identity = runtime::CogIdentity::default_for_build();
+    let inputs = runtime::build_publisher_inputs(
+        &args.mqtt_host,
+        args.mqtt_port,
+        args.privacy_mode,
+        identity,
+    );
+    let (state_tx, state_rx) =
+        broadcast::channel::<VitalsSnapshot>(runtime::DEFAULT_STATE_CHANNEL_CAPACITY);
+    let publisher_handle = runtime::spawn_publisher(inputs, state_rx);
+    info!(
+        capacity = runtime::DEFAULT_STATE_CHANNEL_CAPACITY,
+        "publisher spawned — awaiting VitalsSnapshot bridge (P3.5)"
+    );
+
+    // P3.5 (next iter): subscribe to the sensing-server's
+    // `/v1/snapshot` WebSocket and republish into `state_tx`. Until
+    // that lands the cog connects to MQTT, advertises discovery,
+    // and just doesn't have any state to publish — exactly what an
+    // HA install with no nodes online looks like.
+    let _ = &state_tx;
+
+    // Wait on Ctrl-C so the cog runs as a long-lived daemon under
+    // the Seed's process supervisor.
+    tokio::select! {
+        _ = tokio::signal::ctrl_c() => {
+            info!("ctrl-c received — shutting down");
+        }
+        joined = publisher_handle => {
+            warn!(?joined, "publisher task exited unexpectedly");
+        }
+    }
+    ExitCode::SUCCESS
+}

v2/crates/cog-ha-matter/src/manifest.rs

@@ -0,0 +1,99 @@
+//! Cog manifest — same shape as `cog-pose-estimation/cog/manifest.template.json`
+//! per ADR-101 / ADR-102 / ADR-116. Generated at build time by the cog's
+//! Makefile, signed by the project's Ed25519 release key, uploaded to
+//! `gs://cognitum-apps/cogs/<arch>/cog-ha-matter-<arch>` for Seeds to fetch
+//! via `app-registry.json`.
+//!
+//! The runtime ships the typed view here so the cog can self-report its
+//! manifest to the Seed's control plane (`/api/v1/cog/status`).
+//!
+//! Kept in lib.rs's nearest sibling module so manifest format drift between
+//! build-time template and runtime serializer fires a named test.
+
+use serde::{Deserialize, Serialize};
+
+/// Wire-format mirror of `cog/manifest.template.json`.
+///
+/// Every field is required at install time; `binary_signature` is the
+/// Ed25519 sig over `binary_sha256` so the Seed can verify the cog
+/// binary wasn't tampered with between GCS and the device.
+#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
+pub struct CogManifest {
+    /// Stable cog identifier ("ha-matter"). Becomes the directory name
+    /// under `/var/lib/cognitum/apps/<id>/` on the Seed.
+    pub id: String,
+    /// SemVer of the cog binary. Bumped by the Makefile from
+    /// `cargo pkgid` at release time.
+    pub version: String,
+    /// Where the Seed fetches the binary from. Arch-specific URL with
+    /// the `{{ARCH}}` template slot filled in (e.g. `arm`, `x86_64`).
+    pub binary_url: String,
+    /// Bytes of the binary blob. Set at build time after `wc -c`.
+    pub binary_bytes: u64,
+    /// SHA-256 of the binary, hex-lowercase, no `0x` prefix. The Seed
+    /// verifies this before exec().
+    pub binary_sha256: String,
+    /// Ed25519 signature over `binary_sha256`, base64-encoded. Optional
+    /// for unsigned dev builds; required for cogs listed in
+    /// `app-registry.json`.
+    pub binary_signature: String,
+    /// Unix epoch seconds at install time. The Seed stamps this when it
+    /// completes a successful install/upgrade.
+    pub installed_at: u64,
+    /// One of `"installed"`, `"upgrading"`, `"degraded"`, `"removed"`.
+    pub status: String,
+}
+
+impl CogManifest {
+    pub fn id() -> &'static str {
+        super::COG_ID
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    /// Lock the JSON wire shape against accidental field renames. Both
+    /// the Seed's control plane and the build-time signer parse this —
+    /// any drift fires a named test instead of silently breaking ops.
+    #[test]
+    fn manifest_round_trip_matches_template() {
+        let m = CogManifest {
+            id: "ha-matter".into(),
+            version: "0.1.0".into(),
+            binary_url:
+                "https://storage.googleapis.com/cognitum-apps/cogs/arm/cog-ha-matter-arm"
+                    .into(),
+            binary_bytes: 4_200_000,
+            binary_sha256:
+                "a".repeat(64),
+            binary_signature: "Zm9v".into(),
+            installed_at: 1_779_512_400,
+            status: "installed".into(),
+        };
+        let json = serde_json::to_value(&m).unwrap();
+        // Eight required fields, no extras.
+        for key in [
+            "id",
+            "version",
+            "binary_url",
+            "binary_bytes",
+            "binary_sha256",
+            "binary_signature",
+            "installed_at",
+            "status",
+        ] {
+            assert!(json.get(key).is_some(), "missing manifest field `{key}`");
+        }
+        let m2: CogManifest = serde_json::from_value(json).unwrap();
+        assert_eq!(m, m2);
+    }
+
+    #[test]
+    fn manifest_id_constant_matches_cog_id() {
+        // The id helper must agree with the crate-level COG_ID constant
+        // (regression guard for a future rename).
+        assert_eq!(CogManifest::id(), super::super::COG_ID);
+    }
+}

v2/crates/cog-ha-matter/src/mdns.rs

@@ -0,0 +1,217 @@
+//! `mdns` — pure builder for the cog's mDNS advertisement record.
+//!
+//! ADR-116 §2.2: the cog must advertise itself as `_ruview-ha._tcp`
+//! so HA's discovery integration finds the Seed without manual
+//! `broker host` config. This module produces the typed wire-format
+//! shape — no socket I/O, no responder. The actual mDNS responder
+//! (mdns-sd / zeroconf / pnet) lands next iter and consumes this
+//! struct as its single input.
+//!
+//! Keeping the record-builder pure means:
+//!
+//!   * the responder library can be swapped without touching the
+//!     content of the advertisement;
+//!   * the build-time `--print-manifest` path can include the
+//!     advertisement shape so Seed integration tests can assert on
+//!     it without booting tokio;
+//!   * the TXT keys are locked by named unit tests — drift between
+//!     the cog and the HA-side YAML auto-discovery (`hass-wifi-...`)
+//!     fires a test instead of silently breaking a deployment.
+//!
+//! ## TXT record convention (RFC 6763)
+//!
+//! HA's mDNS discovery integration reads TXT records when binding a
+//! manifest to a `homeassistant.<integration>` zeroconf hook. We
+//! publish the minimum set that lets HA distinguish a Seed cog from
+//! a bare sensing-server and pick the right config flow:
+//!
+//! | Key | Value | Purpose |
+//! |---|---|---|
+//! | `cog_id` | `"ha-matter"` | Disambiguates from other RuView cogs |
+//! | `cog_version` | `CARGO_PKG_VERSION` | HA Repairs surfaces upgrade nudges |
+//! | `node_id` | identity node id | HA device registry key |
+//! | `mqtt_port` | u16 string | Tells HA where to reach the cog's MQTT broker (embedded or external) |
+//! | `privacy` | `"1"` / `"0"` | If `1`, HA's config flow gates biometric entities by default |
+//! | `proto` | `"ruview-ha/1"` | Protocol version — bumps on breaking auto-discovery changes |
+//!
+//! No biometric data, no node coordinates, no SSID — TXT records
+//! are broadcast in cleartext and harvested by passive scanners, so
+//! treating them as PII-clean is part of the privacy posture.
+
+use crate::COG_ID;
+
+/// Default mDNS instance name template. `{node_id}` is substituted
+/// at build time. Visible in HA's UI when the integration card is
+/// added — "Cognitum Seed (kitchen)" beats a raw UUID.
+const INSTANCE_TEMPLATE: &str = "Cognitum Seed — {node_id}";
+
+/// Wire-format twin of the mDNS service record this cog publishes.
+/// Owned so the responder can move the whole thing into its task.
+#[derive(Debug, Clone, PartialEq, Eq)]
+pub struct MdnsService {
+    /// RFC 6763 service type. Locked to `_ruview-ha._tcp` by a named
+    /// test — drift breaks HA's YAML auto-discovery binding.
+    pub service_type: String,
+    /// Human-readable instance name shown in HA's discovery UI.
+    pub instance_name: String,
+    /// Port the cog's control plane listens on (NOT the MQTT broker
+    /// port — HA needs both, but the service record advertises the
+    /// control plane; the MQTT port rides as a TXT record).
+    pub control_port: u16,
+    /// TXT records sorted by key for deterministic ordering. RFC
+    /// 6763 §6.4 makes ordering implementation-defined, but locking
+    /// it keeps the cog's wire shape byte-stable across rebuilds.
+    pub txt_records: Vec<(String, String)>,
+}
+
+impl MdnsService {
+    /// Look up a TXT key without iterating the caller. `None` if the
+    /// key isn't published — the responder treats absence as
+    /// "feature off" rather than "unknown".
+    pub fn txt(&self, key: &str) -> Option<&str> {
+        self.txt_records
+            .iter()
+            .find(|(k, _)| k == key)
+            .map(|(_, v)| v.as_str())
+    }
+}
+
+/// Build the cog's mDNS advertisement record from the cog's typed
+/// identity + ports. Pure: no I/O, no env reads.
+pub fn build_mdns_service(
+    identity: &crate::runtime::CogIdentity,
+    control_port: u16,
+    mqtt_port: u16,
+    privacy_mode: bool,
+) -> MdnsService {
+    let mut txt_records = vec![
+        ("cog_id".to_string(), COG_ID.to_string()),
+        ("cog_version".to_string(), identity.sw_version.clone()),
+        ("node_id".to_string(), identity.node_id.clone()),
+        ("mqtt_port".to_string(), mqtt_port.to_string()),
+        (
+            "privacy".to_string(),
+            if privacy_mode { "1" } else { "0" }.to_string(),
+        ),
+        ("proto".to_string(), "ruview-ha/1".to_string()),
+    ];
+    // Deterministic ordering — see field docstring.
+    txt_records.sort();
+
+    MdnsService {
+        service_type: crate::MDNS_SERVICE_TYPE.to_string(),
+        instance_name: INSTANCE_TEMPLATE.replace("{node_id}", &identity.node_id),
+        control_port,
+        txt_records,
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use crate::runtime::CogIdentity;
+
+    fn id() -> CogIdentity {
+        CogIdentity {
+            node_id: "kitchen-seed".into(),
+            friendly_name: "Kitchen Seed".into(),
+            sw_version: "0.3.0".into(),
+        }
+    }
+
+    #[test]
+    fn service_type_locked_to_ruview_ha_tcp() {
+        // Drift here breaks HA's YAML auto-discovery binding. Lock
+        // it so a future rename surfaces a named test instead of a
+        // silent broken deployment.
+        let svc = build_mdns_service(&id(), 9180, 1883, false);
+        assert_eq!(svc.service_type, "_ruview-ha._tcp");
+        assert_eq!(svc.service_type, crate::MDNS_SERVICE_TYPE);
+    }
+
+    #[test]
+    fn instance_name_carries_node_id() {
+        let svc = build_mdns_service(&id(), 9180, 1883, false);
+        assert!(svc.instance_name.contains("kitchen-seed"));
+    }
+
+    #[test]
+    fn control_port_field_holds_control_not_mqtt_port() {
+        // Easy to swap by accident. Lock the binding so a refactor
+        // doesn't silently advertise the MQTT broker as the control
+        // plane.
+        let svc = build_mdns_service(&id(), 9180, 1883, false);
+        assert_eq!(svc.control_port, 9180);
+        assert_eq!(svc.txt("mqtt_port"), Some("1883"));
+    }
+
+    #[test]
+    fn privacy_flag_is_one_or_zero() {
+        let on = build_mdns_service(&id(), 9180, 1883, true);
+        let off = build_mdns_service(&id(), 9180, 1883, false);
+        assert_eq!(on.txt("privacy"), Some("1"));
+        assert_eq!(off.txt("privacy"), Some("0"));
+    }
+
+    #[test]
+    fn proto_version_bumps_surface_in_txt() {
+        // Locked so a future breaking-change in the cog ↔ HA YAML
+        // contract surfaces here. Bumping it is a deliberate act.
+        let svc = build_mdns_service(&id(), 9180, 1883, false);
+        assert_eq!(svc.txt("proto"), Some("ruview-ha/1"));
+    }
+
+    #[test]
+    fn cog_id_in_txt_matches_crate_constant() {
+        let svc = build_mdns_service(&id(), 9180, 1883, false);
+        assert_eq!(svc.txt("cog_id"), Some(crate::COG_ID));
+    }
+
+    #[test]
+    fn txt_records_are_sorted_for_byte_stable_advertisement() {
+        let svc = build_mdns_service(&id(), 9180, 1883, false);
+        let keys: Vec<&str> = svc.txt_records.iter().map(|(k, _)| k.as_str()).collect();
+        let mut sorted = keys.clone();
+        sorted.sort();
+        assert_eq!(keys, sorted);
+    }
+
+    #[test]
+    fn txt_carries_no_biometric_or_pii_keys() {
+        // TXT records broadcast in cleartext; passive scanners
+        // harvest them. Lock the publishable surface so a future
+        // "let's add hr_bpm to TXT for convenience" patch fires a
+        // named test instead of leaking biometrics.
+        let svc = build_mdns_service(&id(), 9180, 1883, false);
+        let forbidden = [
+            "hr_bpm",
+            "br_bpm",
+            "pose_x",
+            "pose_y",
+            "keypoint",
+            "ssid",
+            "lat",
+            "lon",
+            "mac",
+            "rssi",
+        ];
+        for key in forbidden {
+            assert!(
+                svc.txt(key).is_none(),
+                "TXT key `{key}` leaks PII / biometric data — must not be advertised"
+            );
+        }
+    }
+
+    #[test]
+    fn txt_keys_match_locked_surface() {
+        // The HA-side YAML auto-discovery binds on these exact keys.
+        // Adding a key is fine; removing or renaming one breaks
+        // every deployed Seed. This test catches both directions.
+        let svc = build_mdns_service(&id(), 9180, 1883, true);
+        let required = ["cog_id", "cog_version", "node_id", "mqtt_port", "privacy", "proto"];
+        for key in required {
+            assert!(svc.txt(key).is_some(), "TXT key `{key}` missing");
+        }
+    }
+}

v2/crates/cog-ha-matter/src/runtime.rs

@@ -0,0 +1,241 @@
+//! `runtime` — pure builders that turn the cog's small CLI surface
+//! into the shapes ADR-115's `publisher::spawn` consumes.
+//!
+//! Kept side-effect-free so the tests don't need a tokio runtime, and
+//! so the cog's mDNS responder / control plane (P4) can build the
+//! same inputs from a different source (Seed control config, JSON
+//! POST) without going through `clap`.
+//!
+//! Per the ADR-115 integration-test post-mortem (iter 45-48 of the
+//! ADR-110 sprint), the MQTT `client_id` MUST be unique per process —
+//! reusing a client_id causes the broker to disconnect the previous
+//! session and the new publisher reconnects in a loop. We derive
+//! `client_id` from the caller-supplied `node_id` for that reason.
+//!
+//! P3 of ADR-116: this module produces the input pair; the binary
+//! wires the actual `tokio::spawn(publisher::run(...))` next iter.
+//!
+//! The publisher inputs are intentionally typed in *this* crate, so
+//! the cog's tests and the `--print-manifest` path can exercise the
+//! builder without pulling in the rumqttc event loop.
+
+use std::sync::Arc;
+
+use tokio::{sync::broadcast, task::JoinHandle};
+use wifi_densepose_sensing_server::mqtt::{
+    config::{MqttConfig, PublishRates, TlsConfig},
+    publisher::{self, OwnedDiscoveryBuilder},
+    state::VitalsSnapshot,
+    DEFAULT_DISCOVERY_PREFIX, MANUFACTURER,
+};
+
+/// Caller-supplied identity for the cog instance. Filled in by the
+/// cog runtime from the mDNS hostname / Seed control plane in
+/// production; threaded as a parameter so tests can build inputs
+/// without touching the environment.
+#[derive(Debug, Clone)]
+pub struct CogIdentity {
+    /// Stable node identifier — appears in MQTT topics, HA device
+    /// registry, mDNS service name. Must be ASCII-safe; the cog
+    /// runtime is responsible for sanitising user input.
+    pub node_id: String,
+    /// Human-readable name surfaced in the HA UI.
+    pub friendly_name: String,
+    /// SemVer of the cog binary. Surfaces as the HA device `sw_version`.
+    pub sw_version: String,
+}
+
+impl CogIdentity {
+    /// Default identity used when the cog runs standalone (no Seed
+    /// control plane). Uses the PID for uniqueness so two cog
+    /// instances on the same host don't fight over the same MQTT
+    /// session — same trick the ADR-115 publisher uses.
+    pub fn default_for_build() -> Self {
+        Self {
+            node_id: format!("cog-ha-matter-{}", std::process::id()),
+            friendly_name: "Cognitum Seed — HA cog".into(),
+            sw_version: env!("CARGO_PKG_VERSION").into(),
+        }
+    }
+}
+
+/// The pair ADR-115's `publisher::spawn` needs. Owned so we can move
+/// the whole thing into a `tokio::spawn` closure without lifetime
+/// gymnastics.
+#[derive(Debug, Clone)]
+pub struct PublisherInputs {
+    pub config: MqttConfig,
+    pub discovery: OwnedDiscoveryBuilder,
+}
+
+/// Build the publisher inputs from the cog's small CLI surface.
+///
+/// Pure function — no I/O, no env reads. The caller wraps `config`
+/// in an `Arc` before handing it to `publisher::spawn`.
+pub fn build_publisher_inputs(
+    mqtt_host: &str,
+    mqtt_port: u16,
+    privacy_mode: bool,
+    identity: CogIdentity,
+) -> PublisherInputs {
+    let config = MqttConfig {
+        host: mqtt_host.to_string(),
+        port: mqtt_port,
+        username: None,
+        password: None,
+        client_id: format!("{}-{}", super::COG_ID, identity.node_id),
+        discovery_prefix: DEFAULT_DISCOVERY_PREFIX.to_string(),
+        tls: TlsConfig::Off,
+        refresh_secs: 60,
+        rates: PublishRates::default(),
+        publish_pose: false,
+        privacy_mode,
+    };
+
+    let discovery = OwnedDiscoveryBuilder {
+        discovery_prefix: DEFAULT_DISCOVERY_PREFIX.to_string(),
+        node_id: identity.node_id,
+        node_friendly_name: Some(identity.friendly_name),
+        sw_version: identity.sw_version,
+        model: format!("{MANUFACTURER} cog-ha-matter"),
+        via_device: Some(super::COG_ID.to_string()),
+    };
+
+    PublisherInputs { config, discovery }
+}
+
+/// Default broadcast-channel capacity for the cog's VitalsSnapshot
+/// stream. Matches the sensing-server's own default so the cog
+/// doesn't bottleneck the publisher under bursty loads (multi-Seed
+/// federation, mesh re-sync events).
+pub const DEFAULT_STATE_CHANNEL_CAPACITY: usize = 256;
+
+/// Spawn the ADR-115 MQTT publisher with the cog's typed inputs.
+///
+/// Thin wrapper around [`publisher::spawn`] that:
+/// 1. wraps `inputs.config` in `Arc` (publisher requires shared
+///    ownership across reconnects),
+/// 2. moves `inputs.discovery` into the spawn (publisher clones it
+///    per reconnect; `OwnedDiscoveryBuilder` is `Clone`),
+/// 3. hands the broadcast receiver across without an intermediate.
+///
+/// Returning the `JoinHandle` lets `main.rs` await it on shutdown
+/// (or `abort()` it from a control-plane handler).
+pub fn spawn_publisher(
+    inputs: PublisherInputs,
+    state_rx: broadcast::Receiver<VitalsSnapshot>,
+) -> JoinHandle<()> {
+    let PublisherInputs { config, discovery } = inputs;
+    publisher::spawn(Arc::new(config), discovery, state_rx)
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    fn id() -> CogIdentity {
+        CogIdentity {
+            node_id: "seed-7".into(),
+            friendly_name: "test-seed".into(),
+            sw_version: "0.0.1-test".into(),
+        }
+    }
+
+    #[test]
+    fn host_and_port_round_trip_into_mqtt_config() {
+        let out = build_publisher_inputs("10.0.0.5", 8883, false, id());
+        assert_eq!(out.config.host, "10.0.0.5");
+        assert_eq!(out.config.port, 8883);
+    }
+
+    #[test]
+    fn privacy_mode_propagates_to_mqtt_config() {
+        let on = build_publisher_inputs("h", 1883, true, id());
+        let off = build_publisher_inputs("h", 1883, false, id());
+        assert!(on.config.privacy_mode);
+        assert!(!off.config.privacy_mode);
+    }
+
+    #[test]
+    fn discovery_prefix_defaults_to_homeassistant() {
+        let out = build_publisher_inputs("h", 1883, false, id());
+        assert_eq!(out.config.discovery_prefix, DEFAULT_DISCOVERY_PREFIX);
+        assert_eq!(out.discovery.discovery_prefix, DEFAULT_DISCOVERY_PREFIX);
+    }
+
+    #[test]
+    fn discovery_carries_identity_fields() {
+        let out = build_publisher_inputs("h", 1883, false, id());
+        assert_eq!(out.discovery.node_id, "seed-7");
+        assert_eq!(out.discovery.sw_version, "0.0.1-test");
+        assert_eq!(out.discovery.node_friendly_name.as_deref(), Some("test-seed"));
+    }
+
+    #[test]
+    fn via_device_advertises_cog_id() {
+        // ADR-101 / ADR-102: every cog must surface its `id` as the
+        // HA device's `via_device` so the appliance shows up as the
+        // bridge — fires a named test instead of silently breaking
+        // the device-registry shape.
+        let out = build_publisher_inputs("h", 1883, false, id());
+        assert_eq!(out.discovery.via_device.as_deref(), Some(super::super::COG_ID));
+    }
+
+    #[test]
+    fn client_id_includes_node_id_for_session_uniqueness() {
+        // Lesson from the ADR-115 integration-test post-mortem: two
+        // publishers sharing a `client_id` fight over the broker
+        // session and one reconnects forever. The cog must derive
+        // `client_id` from `node_id` so multi-Seed deployments don't
+        // collide.
+        let out = build_publisher_inputs("h", 1883, false, id());
+        assert!(out.config.client_id.contains("seed-7"));
+        assert!(out.config.client_id.starts_with(super::super::COG_ID));
+    }
+
+    #[test]
+    fn tls_defaults_to_off_for_v1_lan_only() {
+        // v1 ships LAN-only (no broker on the open internet); TLS
+        // wiring lands in v0.8 alongside Matter Bridge per ADR-116
+        // §4. Lock the default so a future refactor surfaces a
+        // named test instead of silently enabling TLS.
+        let out = build_publisher_inputs("h", 1883, false, id());
+        assert!(matches!(out.config.tls, TlsConfig::Off));
+    }
+
+    #[tokio::test]
+    async fn spawn_publisher_returns_live_handle_without_broker() {
+        // No real broker on this port — rumqttc retries internally so
+        // the spawned task stays alive. We just prove the wiring
+        // compiles + the JoinHandle is not pre-finished. Aborting
+        // immediately keeps the test under 100 ms.
+        let inputs = build_publisher_inputs("127.0.0.1", 1, false, id());
+        let (tx, rx) = broadcast::channel::<VitalsSnapshot>(DEFAULT_STATE_CHANNEL_CAPACITY);
+        let handle = spawn_publisher(inputs, rx);
+        // Task is still running (not pre-finished by config validation).
+        assert!(!handle.is_finished());
+        // Keep `tx` alive past the handle abort so the receiver side
+        // doesn't panic on drop before the task notices the channel
+        // closed.
+        handle.abort();
+        let _ = handle.await; // joined, may be Err(Cancelled) — OK.
+        drop(tx);
+    }
+
+    #[test]
+    fn default_state_channel_capacity_is_reasonable() {
+        // Lock the default so a regression to e.g. 1 surfaces a named
+        // test. Multi-Seed federation needs headroom for bursty
+        // mesh re-sync events.
+        assert!(DEFAULT_STATE_CHANNEL_CAPACITY >= 64);
+    }
+
+    #[test]
+    fn default_identity_carries_pkg_version_and_pid() {
+        let identity = CogIdentity::default_for_build();
+        assert_eq!(identity.sw_version, env!("CARGO_PKG_VERSION"));
+        assert!(identity.node_id.starts_with("cog-ha-matter-"));
+        // Friendly name is non-empty so HA's device card has a label.
+        assert!(!identity.friendly_name.is_empty());
+    }
+}

v2/crates/cog-ha-matter/src/witness.rs

@@ -0,0 +1,795 @@
+//! `witness` — append-only hash-chained event log for the cog.
+//!
+//! ADR-116 §2.2 promises a tamper-evident audit log so regulated
+//! deployments (healthcare, education, shared housing) can prove
+//! that the state transitions a Seed reported were actually emitted
+//! by the cog at the time they were emitted, not retroactively
+//! rewritten.
+//!
+//! This module is the **pure hash-chain primitive**:
+//!
+//!   * SHA-256 over deterministic canonical bytes,
+//!   * `prev_hash` chains each event to its predecessor,
+//!   * `WitnessChain::append` is the only mutator — no random
+//!     access, no replace, no delete.
+//!
+//! Ed25519 signing layers on top once the key-management story
+//! lands (probably as `witness_signing.rs` reading a key from the
+//! Seed's secure store). Keeping the hash chain and the signature
+//! in separate modules means the chain primitive can be tested
+//! without a key fixture, and a future key rotation doesn't
+//! invalidate the chain itself — only the signature over each
+//! event.
+//!
+//! ## Why hash-chain first, not Merkle tree?
+//!
+//! The cog emits witness events at the rate of semantic-primitive
+//! transitions — a few per minute in steady state, dozens during
+//! a fall-detection / room-transition event. Linear scan is fine
+//! at that rate; we save the Merkle complexity for a future tier
+//! when the chain spans days and the auditor wants O(log n)
+//! inclusion proofs.
+
+use std::io::{self, BufRead, Write};
+
+use sha2::{Digest, Sha256};
+
+/// 32-byte hash output. Lifted into a newtype so a future migration
+/// to Blake3 / SHA-512 surfaces as a type change instead of a
+/// silent length difference in serialized witness bundles.
+#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]
+pub struct WitnessHash(pub [u8; 32]);
+
+impl WitnessHash {
+    /// Genesis hash — the predecessor of the first event. Sentinel
+    /// "no prior event" value.
+    pub const GENESIS: WitnessHash = WitnessHash([0u8; 32]);
+
+    /// Lowercase hex without `0x` prefix. Matches the format the
+    /// `cog-pose-estimation` manifest uses for `binary_sha256` so
+    /// downstream tooling can apply one parser.
+    pub fn to_hex(&self) -> String {
+        let mut s = String::with_capacity(64);
+        for b in self.0 {
+            s.push_str(&format!("{b:02x}"));
+        }
+        s
+    }
+
+    /// Parse a 64-char lowercase-hex string back into a `WitnessHash`.
+    /// Rejects wrong-length input and non-hex characters — used by
+    /// the JSONL parser when reading audit bundles.
+    pub fn from_hex(s: &str) -> Result<WitnessHash, WitnessParseError> {
+        if s.len() != 64 {
+            return Err(WitnessParseError::HashLength { found: s.len() });
+        }
+        let mut out = [0u8; 32];
+        for (i, byte) in out.iter_mut().enumerate() {
+            let lo = i * 2;
+            *byte = u8::from_str_radix(&s[lo..lo + 2], 16)
+                .map_err(|_| WitnessParseError::HashHex { at: lo })?;
+        }
+        Ok(WitnessHash(out))
+    }
+}
+
+/// A single witnessed event. Append-only — once committed to a
+/// `WitnessChain`, the fields here are immutable.
+#[derive(Debug, Clone, PartialEq, Eq)]
+pub struct WitnessEvent {
+    /// Zero-based sequence number. Strictly monotonically
+    /// increasing within a chain — gaps mean the chain was
+    /// truncated.
+    pub seq: u64,
+    /// Hash of the previous event, or [`WitnessHash::GENESIS`] for
+    /// the first.
+    pub prev_hash: WitnessHash,
+    /// Unix epoch seconds at append time. Caller-supplied so the
+    /// test suite isn't time-coupled; production uses
+    /// `SystemTime::now()`.
+    pub timestamp_unix_s: u64,
+    /// Short stable kind tag — e.g. `"fall_risk_elevated"`,
+    /// `"bed_exit"`, `"privacy_mode_toggled"`. Locked vocabulary
+    /// in the future; free-form here until the semantic-primitive
+    /// catalog stabilises.
+    pub kind: String,
+    /// Opaque payload bytes. Typically the JSON of the emitted MQTT
+    /// state message so an auditor can re-derive what HA was told.
+    pub payload: Vec<u8>,
+    /// Hash of *this* event, computed over canonical bytes that
+    /// include `prev_hash` — so reconstructing the chain proves
+    /// nothing in the past was rewritten.
+    pub this_hash: WitnessHash,
+}
+
+/// Compute the canonical-bytes form an event is hashed over.
+///
+/// The format is intentionally simple and length-prefixed so a
+/// future migration can be staged with a `version` byte in front
+/// without ambiguity:
+///
+/// ```text
+///   prev_hash[32] | seq:u64-be | ts:u64-be | kind_len:u32-be | kind | payload_len:u32-be | payload
+/// ```
+///
+/// Length-prefixing prevents the classic "concatenation forgery"
+/// attack where `"abc" + "def"` and `"ab" + "cdef"` would hash the
+/// same.
+pub fn canonical_bytes(
+    prev_hash: WitnessHash,
+    seq: u64,
+    timestamp_unix_s: u64,
+    kind: &str,
+    payload: &[u8],
+) -> Vec<u8> {
+    let kind_bytes = kind.as_bytes();
+    let mut out = Vec::with_capacity(32 + 8 + 8 + 4 + kind_bytes.len() + 4 + payload.len());
+    out.extend_from_slice(&prev_hash.0);
+    out.extend_from_slice(&seq.to_be_bytes());
+    out.extend_from_slice(&timestamp_unix_s.to_be_bytes());
+    out.extend_from_slice(&(kind_bytes.len() as u32).to_be_bytes());
+    out.extend_from_slice(kind_bytes);
+    out.extend_from_slice(&(payload.len() as u32).to_be_bytes());
+    out.extend_from_slice(payload);
+    out
+}
+
+/// Compute the SHA-256 hash for an event.
+pub fn hash_event(
+    prev_hash: WitnessHash,
+    seq: u64,
+    timestamp_unix_s: u64,
+    kind: &str,
+    payload: &[u8],
+) -> WitnessHash {
+    let mut h = Sha256::new();
+    h.update(canonical_bytes(prev_hash, seq, timestamp_unix_s, kind, payload));
+    let digest = h.finalize();
+    let mut out = [0u8; 32];
+    out.copy_from_slice(&digest);
+    WitnessHash(out)
+}
+
+/// In-memory append-only chain. Persistence (write to the Seed's
+/// `~/cognitum/witness/<cog>/events.jsonl`) is a separate concern
+/// kept out of this module.
+#[derive(Debug, Default, Clone)]
+pub struct WitnessChain {
+    events: Vec<WitnessEvent>,
+}
+
+impl WitnessChain {
+    pub fn new() -> Self {
+        Self::default()
+    }
+
+    /// Last committed hash, or `GENESIS` if the chain is empty.
+    pub fn tip(&self) -> WitnessHash {
+        self.events
+            .last()
+            .map(|e| e.this_hash)
+            .unwrap_or(WitnessHash::GENESIS)
+    }
+
+    pub fn len(&self) -> usize {
+        self.events.len()
+    }
+
+    pub fn is_empty(&self) -> bool {
+        self.events.is_empty()
+    }
+
+    /// Append a new event. Caller supplies the wall-clock so tests
+    /// stay deterministic.
+    pub fn append(&mut self, kind: &str, payload: &[u8], timestamp_unix_s: u64) -> &WitnessEvent {
+        let prev_hash = self.tip();
+        let seq = self.events.len() as u64;
+        let this_hash = hash_event(prev_hash, seq, timestamp_unix_s, kind, payload);
+        self.events.push(WitnessEvent {
+            seq,
+            prev_hash,
+            timestamp_unix_s,
+            kind: kind.to_string(),
+            payload: payload.to_vec(),
+            this_hash,
+        });
+        self.events.last().expect("just pushed")
+    }
+
+    pub fn events(&self) -> &[WitnessEvent] {
+        &self.events
+    }
+
+    /// Stream every event to a JSONL sink. Each event becomes one
+    /// line terminated by `\n`. Empty chains write zero bytes.
+    ///
+    /// The caller owns the writer — `File`, `BufWriter`, an
+    /// in-memory `Vec<u8>` for tests — so this method never
+    /// allocates beyond per-event line buffers.
+    pub fn write_jsonl<W: Write>(&self, w: &mut W) -> io::Result<()> {
+        for ev in &self.events {
+            w.write_all(ev.to_jsonl_line().as_bytes())?;
+            w.write_all(b"\n")?;
+        }
+        Ok(())
+    }
+
+    /// Read a JSONL audit bundle into a fresh `WitnessChain`. Each
+    /// non-empty line is parsed via `WitnessEvent::from_jsonl_line`
+    /// (which re-verifies the stored hash), then the loaded chain
+    /// is end-to-end verified via [`WitnessChain::verify`] to catch
+    /// out-of-order events or replayed prefixes.
+    ///
+    /// Bundle errors surface with their `line_no` (1-indexed) so an
+    /// auditor can point at the bad record.
+    pub fn read_jsonl<R: BufRead>(r: R) -> Result<WitnessChain, WitnessReadError> {
+        let mut chain = WitnessChain::new();
+        for (i, line_res) in r.lines().enumerate() {
+            let line_no = i + 1;
+            let line = line_res.map_err(|e| WitnessReadError::Io {
+                line_no,
+                msg: e.to_string(),
+            })?;
+            if line.trim().is_empty() {
+                continue; // tolerate blank lines / trailing \n
+            }
+            let ev = WitnessEvent::from_jsonl_line(&line)
+                .map_err(|source| WitnessReadError::Parse { line_no, source })?;
+            chain.events.push(ev);
+        }
+        chain
+            .verify()
+            .map_err(|source| WitnessReadError::Verify { source })?;
+        Ok(chain)
+    }
+
+    /// Verify every event's `this_hash` matches the canonical bytes,
+    /// every `prev_hash` matches the predecessor's `this_hash`, and
+    /// `seq` is gap-free starting at 0.
+    ///
+    /// Returns `Ok(())` on a sound chain or an `Err` with the first
+    /// failing index + reason — auditor-friendly.
+    pub fn verify(&self) -> Result<(), WitnessVerifyError> {
+        let mut prev = WitnessHash::GENESIS;
+        for (i, ev) in self.events.iter().enumerate() {
+            if ev.seq != i as u64 {
+                return Err(WitnessVerifyError::SeqGap { at: i, found: ev.seq });
+            }
+            if ev.prev_hash != prev {
+                return Err(WitnessVerifyError::PrevHashMismatch { at: i });
+            }
+            let recomputed = hash_event(
+                ev.prev_hash,
+                ev.seq,
+                ev.timestamp_unix_s,
+                &ev.kind,
+                &ev.payload,
+            );
+            if recomputed != ev.this_hash {
+                return Err(WitnessVerifyError::HashMismatch { at: i });
+            }
+            prev = ev.this_hash;
+        }
+        Ok(())
+    }
+}
+
+#[derive(Debug, Clone, PartialEq, Eq, thiserror::Error)]
+pub enum WitnessVerifyError {
+    #[error("seq gap at index {at}: expected {at}, found {found}")]
+    SeqGap { at: usize, found: u64 },
+    #[error("prev_hash mismatch at index {at}")]
+    PrevHashMismatch { at: usize },
+    #[error("this_hash mismatch at index {at} — event tampered")]
+    HashMismatch { at: usize },
+}
+
+#[derive(Debug, thiserror::Error)]
+pub enum WitnessReadError {
+    #[error("io error at line {line_no}: {msg}")]
+    Io { line_no: usize, msg: String },
+    #[error("parse error at line {line_no}: {source}")]
+    Parse {
+        line_no: usize,
+        #[source]
+        source: WitnessParseError,
+    },
+    #[error("chain-level verify failed: {source}")]
+    Verify {
+        #[source]
+        source: WitnessVerifyError,
+    },
+}
+
+#[derive(Debug, Clone, PartialEq, Eq, thiserror::Error)]
+pub enum WitnessParseError {
+    #[error("invalid JSON: {0}")]
+    Json(String),
+    #[error("missing required field `{0}`")]
+    MissingField(&'static str),
+    #[error("field `{field}` has wrong type")]
+    WrongType { field: &'static str },
+    #[error("hash hex must be 64 chars, got {found}")]
+    HashLength { found: usize },
+    #[error("hash hex parse error at byte offset {at}")]
+    HashHex { at: usize },
+    #[error("payload hex parse error at byte offset {at}")]
+    PayloadHex { at: usize },
+    #[error("payload hex must be even length, got {found}")]
+    PayloadLength { found: usize },
+    #[error("recomputed hash does not match this_hash — bundle is forged or corrupted")]
+    HashMismatch,
+}
+
+fn hex_encode(bytes: &[u8]) -> String {
+    let mut s = String::with_capacity(bytes.len() * 2);
+    for b in bytes {
+        s.push_str(&format!("{b:02x}"));
+    }
+    s
+}
+
+fn hex_decode(s: &str) -> Result<Vec<u8>, WitnessParseError> {
+    if s.len() % 2 != 0 {
+        return Err(WitnessParseError::PayloadLength { found: s.len() });
+    }
+    let mut out = Vec::with_capacity(s.len() / 2);
+    for i in (0..s.len()).step_by(2) {
+        let byte = u8::from_str_radix(&s[i..i + 2], 16)
+            .map_err(|_| WitnessParseError::PayloadHex { at: i })?;
+        out.push(byte);
+    }
+    Ok(out)
+}
+
+impl WitnessEvent {
+    /// Serialize one event to a single JSONL line (no trailing
+    /// newline). The format is the audit-bundle wire shape; tools
+    /// downstream parse it line-by-line with [`Self::from_jsonl_line`].
+    ///
+    /// Field ordering is locked alphabetically for byte-stable
+    /// output across rebuilds — auditors hash whole bundles, so a
+    /// rebuild that reordered fields would silently invalidate
+    /// archival hashes.
+    ///
+    /// Wire shape:
+    ///
+    /// ```json
+    /// {"kind":"...","payload_hex":"...","prev_hash":"...","seq":N,"this_hash":"...","timestamp_unix_s":N}
+    /// ```
+    pub fn to_jsonl_line(&self) -> String {
+        // Hand-rolled instead of serde_derive so the wire-format
+        // ordering is under direct test control.
+        format!(
+            "{{\"kind\":{kind},\"payload_hex\":\"{payload}\",\"prev_hash\":\"{prev}\",\"seq\":{seq},\"this_hash\":\"{this}\",\"timestamp_unix_s\":{ts}}}",
+            kind = serde_json::to_string(&self.kind).expect("string is always serializable"),
+            payload = hex_encode(&self.payload),
+            prev = self.prev_hash.to_hex(),
+            seq = self.seq,
+            this = self.this_hash.to_hex(),
+            ts = self.timestamp_unix_s,
+        )
+    }
+
+    /// Parse one JSONL line back into a `WitnessEvent`. Re-verifies
+    /// the stored `this_hash` against the canonical bytes — a
+    /// tampered bundle fires [`WitnessParseError::HashMismatch`]
+    /// instead of silently loading forged events.
+    pub fn from_jsonl_line(line: &str) -> Result<WitnessEvent, WitnessParseError> {
+        let v: serde_json::Value =
+            serde_json::from_str(line).map_err(|e| WitnessParseError::Json(e.to_string()))?;
+        let obj = v
+            .as_object()
+            .ok_or(WitnessParseError::WrongType { field: "<root>" })?;
+
+        let seq = obj
+            .get("seq")
+            .ok_or(WitnessParseError::MissingField("seq"))?
+            .as_u64()
+            .ok_or(WitnessParseError::WrongType { field: "seq" })?;
+        let timestamp_unix_s = obj
+            .get("timestamp_unix_s")
+            .ok_or(WitnessParseError::MissingField("timestamp_unix_s"))?
+            .as_u64()
+            .ok_or(WitnessParseError::WrongType {
+                field: "timestamp_unix_s",
+            })?;
+        let kind = obj
+            .get("kind")
+            .ok_or(WitnessParseError::MissingField("kind"))?
+            .as_str()
+            .ok_or(WitnessParseError::WrongType { field: "kind" })?
+            .to_string();
+        let prev_hash = WitnessHash::from_hex(
+            obj.get("prev_hash")
+                .ok_or(WitnessParseError::MissingField("prev_hash"))?
+                .as_str()
+                .ok_or(WitnessParseError::WrongType { field: "prev_hash" })?,
+        )?;
+        let this_hash = WitnessHash::from_hex(
+            obj.get("this_hash")
+                .ok_or(WitnessParseError::MissingField("this_hash"))?
+                .as_str()
+                .ok_or(WitnessParseError::WrongType { field: "this_hash" })?,
+        )?;
+        let payload = hex_decode(
+            obj.get("payload_hex")
+                .ok_or(WitnessParseError::MissingField("payload_hex"))?
+                .as_str()
+                .ok_or(WitnessParseError::WrongType {
+                    field: "payload_hex",
+                })?,
+        )?;
+
+        // Re-verify the stored hash. The on-disk hash is purely
+        // declarative; this is what makes the JSONL a witness.
+        let recomputed = hash_event(prev_hash, seq, timestamp_unix_s, &kind, &payload);
+        if recomputed != this_hash {
+            return Err(WitnessParseError::HashMismatch);
+        }
+
+        Ok(WitnessEvent {
+            seq,
+            prev_hash,
+            timestamp_unix_s,
+            kind,
+            payload,
+            this_hash,
+        })
+    }
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    fn genesis_hash_is_all_zeros() {
+        assert_eq!(WitnessHash::GENESIS.0, [0u8; 32]);
+    }
+
+    #[test]
+    fn empty_chain_tip_is_genesis() {
+        let c = WitnessChain::new();
+        assert_eq!(c.tip(), WitnessHash::GENESIS);
+        assert!(c.is_empty());
+    }
+
+    #[test]
+    fn canonical_bytes_length_prefixing_prevents_ambiguity() {
+        // Classic concatenation forgery: without length prefixes,
+        // ("abc","def") and ("ab","cdef") would produce the same
+        // hash. With them, they don't.
+        let a = canonical_bytes(WitnessHash::GENESIS, 0, 0, "abc", b"def");
+        let b = canonical_bytes(WitnessHash::GENESIS, 0, 0, "ab", b"cdef");
+        assert_ne!(a, b);
+    }
+
+    #[test]
+    fn canonical_bytes_starts_with_prev_hash() {
+        // Locks the on-wire format. A future migration that flips
+        // field order must bump a version byte and update this test.
+        let bytes = canonical_bytes(WitnessHash([7u8; 32]), 1, 2, "k", b"p");
+        assert_eq!(&bytes[..32], &[7u8; 32]);
+    }
+
+    #[test]
+    fn append_links_to_prev_hash() {
+        let mut c = WitnessChain::new();
+        let h1 = c.append("a", b"1", 100).this_hash;
+        let e2 = c.append("b", b"2", 101);
+        assert_eq!(e2.prev_hash, h1);
+        assert_eq!(e2.seq, 1);
+    }
+
+    #[test]
+    fn sequence_is_monotonic_starting_at_zero() {
+        let mut c = WitnessChain::new();
+        for i in 0..5 {
+            c.append("k", &[i], 0);
+        }
+        for (i, ev) in c.events().iter().enumerate() {
+            assert_eq!(ev.seq, i as u64);
+        }
+    }
+
+    #[test]
+    fn verify_passes_on_clean_chain() {
+        let mut c = WitnessChain::new();
+        c.append("fall_risk_elevated", b"{}", 100);
+        c.append("bed_exit", b"{}", 101);
+        c.append("privacy_mode_toggled", br#"{"on":true}"#, 102);
+        c.verify().expect("clean chain verifies");
+    }
+
+    #[test]
+    fn verify_catches_tampered_payload() {
+        let mut c = WitnessChain::new();
+        c.append("a", b"original", 100);
+        c.append("b", b"original2", 101);
+        // Tamper with event 0's payload directly.
+        c.events[0].payload = b"forged".to_vec();
+        let err = c.verify().unwrap_err();
+        assert!(matches!(err, WitnessVerifyError::HashMismatch { at: 0 }));
+    }
+
+    #[test]
+    fn verify_catches_broken_prev_link() {
+        let mut c = WitnessChain::new();
+        c.append("a", b"1", 100);
+        c.append("b", b"2", 101);
+        c.events[1].prev_hash = WitnessHash([0xff; 32]);
+        let err = c.verify().unwrap_err();
+        assert!(matches!(err, WitnessVerifyError::PrevHashMismatch { at: 1 }));
+    }
+
+    #[test]
+    fn verify_catches_seq_gap() {
+        let mut c = WitnessChain::new();
+        c.append("a", b"1", 100);
+        c.append("b", b"2", 101);
+        c.events[1].seq = 99;
+        let err = c.verify().unwrap_err();
+        assert!(matches!(err, WitnessVerifyError::SeqGap { at: 1, found: 99 }));
+    }
+
+    #[test]
+    fn hash_to_hex_is_64_lowercase_chars() {
+        let h = hash_event(WitnessHash::GENESIS, 0, 0, "k", b"p");
+        let hex = h.to_hex();
+        assert_eq!(hex.len(), 64);
+        assert!(hex.chars().all(|c| c.is_ascii_hexdigit() && !c.is_ascii_uppercase()));
+    }
+
+    #[test]
+    fn first_event_prev_hash_is_genesis() {
+        // Auditor relies on this: a witness bundle that doesn't start
+        // with prev_hash == GENESIS is either truncated or stitched
+        // together from two chains.
+        let mut c = WitnessChain::new();
+        let e = c.append("init", b"", 0);
+        assert_eq!(e.prev_hash, WitnessHash::GENESIS);
+        assert_eq!(e.seq, 0);
+    }
+
+    #[test]
+    fn different_payloads_produce_different_hashes() {
+        let h1 = hash_event(WitnessHash::GENESIS, 0, 100, "k", b"a");
+        let h2 = hash_event(WitnessHash::GENESIS, 0, 100, "k", b"b");
+        assert_ne!(h1, h2);
+    }
+
+    // ---- JSONL persistence ----
+
+    fn fresh_event() -> WitnessEvent {
+        let mut c = WitnessChain::new();
+        c.append("fall_risk_elevated", br#"{"node":"kitchen"}"#, 1779512400);
+        c.events()[0].clone()
+    }
+
+    #[test]
+    fn jsonl_round_trip_preserves_all_fields() {
+        let original = fresh_event();
+        let line = original.to_jsonl_line();
+        let parsed = WitnessEvent::from_jsonl_line(&line).expect("clean line round-trips");
+        assert_eq!(parsed, original);
+    }
+
+    #[test]
+    fn jsonl_line_has_no_embedded_newline() {
+        // JSONL is one record per line; an embedded \n in the
+        // serialized form would corrupt the file format.
+        let line = fresh_event().to_jsonl_line();
+        assert!(!line.contains('\n'));
+        assert!(!line.contains('\r'));
+    }
+
+    #[test]
+    fn jsonl_field_order_is_alphabetical_for_byte_stability() {
+        // Auditors archive whole bundles and hash them — reordered
+        // fields would silently invalidate archival hashes. Lock
+        // the order with a substring check on a known event.
+        let line = fresh_event().to_jsonl_line();
+        let order = ["kind", "payload_hex", "prev_hash", "seq", "this_hash", "timestamp_unix_s"];
+        let mut last = 0usize;
+        for field in order {
+            let pos = line.find(field).unwrap_or_else(|| panic!("missing field `{field}`"));
+            assert!(pos > last, "field `{field}` out of alphabetical order");
+            last = pos;
+        }
+    }
+
+    #[test]
+    fn jsonl_parser_rejects_tampered_payload() {
+        let original = fresh_event();
+        let line = original.to_jsonl_line();
+        // Flip one nibble in the payload hex — the stored hash
+        // won't match the recomputed hash.
+        let tampered = line.replacen("payload_hex\":\"7b", "payload_hex\":\"6b", 1);
+        assert_ne!(line, tampered, "test fixture didn't flip a byte");
+        let err = WitnessEvent::from_jsonl_line(&tampered).unwrap_err();
+        assert!(
+            matches!(err, WitnessParseError::HashMismatch),
+            "expected HashMismatch, got {err:?}"
+        );
+    }
+
+    #[test]
+    fn jsonl_parser_rejects_non_hex_hash() {
+        // Replace the hex hash with non-hex chars — must fire a
+        // structured error, not a panic.
+        let original = fresh_event();
+        let line = original.to_jsonl_line();
+        let broken = line.replacen(
+            &original.this_hash.to_hex()[..4],
+            "ZZZZ",
+            1,
+        );
+        let err = WitnessEvent::from_jsonl_line(&broken).unwrap_err();
+        assert!(matches!(err, WitnessParseError::HashHex { .. }));
+    }
+
+    #[test]
+    fn jsonl_parser_rejects_missing_field() {
+        let bad = r#"{"seq":0,"kind":"k","prev_hash":"00","this_hash":"00","timestamp_unix_s":1}"#;
+        let err = WitnessEvent::from_jsonl_line(bad).unwrap_err();
+        // Missing payload_hex; should fire MissingField before any
+        // hex decode happens.
+        assert!(matches!(err, WitnessParseError::MissingField("payload_hex")
+            | WitnessParseError::HashLength { .. }));
+    }
+
+    #[test]
+    fn hex_encode_decode_round_trip() {
+        let cases: &[&[u8]] = &[
+            b"",
+            b"\x00",
+            b"\xff",
+            b"hello world",
+            &[0x00, 0x01, 0xab, 0xcd, 0xef],
+        ];
+        for c in cases {
+            let encoded = hex_encode(c);
+            let decoded = hex_decode(&encoded).unwrap();
+            assert_eq!(&decoded[..], *c, "round-trip failed for {c:?}");
+        }
+    }
+
+    #[test]
+    fn hex_decode_rejects_odd_length() {
+        let err = hex_decode("abc").unwrap_err();
+        assert!(matches!(err, WitnessParseError::PayloadLength { found: 3 }));
+    }
+
+    #[test]
+    fn witness_hash_from_hex_round_trip() {
+        let h = WitnessHash([0x12; 32]);
+        let hex = h.to_hex();
+        let parsed = WitnessHash::from_hex(&hex).unwrap();
+        assert_eq!(parsed, h);
+    }
+
+    #[test]
+    fn witness_hash_from_hex_rejects_wrong_length() {
+        let err = WitnessHash::from_hex("ab").unwrap_err();
+        assert!(matches!(err, WitnessParseError::HashLength { found: 2 }));
+    }
+
+    // ---- file persistence (write_jsonl / read_jsonl) ----
+
+    #[test]
+    fn write_jsonl_empty_chain_writes_zero_bytes() {
+        let c = WitnessChain::new();
+        let mut buf = Vec::new();
+        c.write_jsonl(&mut buf).unwrap();
+        assert_eq!(buf, b"");
+    }
+
+    #[test]
+    fn write_then_read_round_trips_multi_event_chain() {
+        let mut written = WitnessChain::new();
+        written.append("a", b"first", 100);
+        written.append("b", b"second", 101);
+        written.append("c", br#"{"x":1}"#, 102);
+
+        let mut buf = Vec::new();
+        written.write_jsonl(&mut buf).unwrap();
+
+        let read_back = WitnessChain::read_jsonl(buf.as_slice()).unwrap();
+        assert_eq!(read_back.len(), 3);
+        assert_eq!(read_back.events(), written.events());
+        assert_eq!(read_back.tip(), written.tip());
+    }
+
+    #[test]
+    fn write_jsonl_separates_events_with_newline() {
+        let mut c = WitnessChain::new();
+        c.append("a", b"1", 100);
+        c.append("b", b"2", 101);
+        let mut buf = Vec::new();
+        c.write_jsonl(&mut buf).unwrap();
+        let s = std::str::from_utf8(&buf).unwrap();
+        // Exactly N newlines for N events.
+        assert_eq!(s.matches('\n').count(), 2);
+        assert!(s.ends_with('\n'));
+    }
+
+    #[test]
+    fn read_jsonl_tolerates_blank_lines() {
+        let mut c = WitnessChain::new();
+        c.append("a", b"1", 100);
+        c.append("b", b"2", 101);
+        let mut buf = Vec::new();
+        c.write_jsonl(&mut buf).unwrap();
+        // Inject blanks — sometimes happens when files are edited.
+        let with_blanks = format!(
+            "\n{}\n\n",
+            std::str::from_utf8(&buf).unwrap().trim_end()
+        );
+        let read = WitnessChain::read_jsonl(with_blanks.as_bytes()).unwrap();
+        assert_eq!(read.len(), 2);
+    }
+
+    #[test]
+    fn read_jsonl_surfaces_line_no_on_parse_error() {
+        // Two good events, then one with a flipped payload byte.
+        let mut c = WitnessChain::new();
+        c.append("a", b"1", 100);
+        c.append("b", b"2", 101);
+        let mut buf = Vec::new();
+        c.write_jsonl(&mut buf).unwrap();
+        let mut text = String::from_utf8(buf).unwrap();
+        let forged = c.events()[0].to_jsonl_line().replacen(
+            "payload_hex\":\"31",
+            "payload_hex\":\"32",
+            1,
+        );
+        text.push_str(&forged);
+        text.push('\n');
+
+        let err = WitnessChain::read_jsonl(text.as_bytes()).unwrap_err();
+        match err {
+            WitnessReadError::Parse { line_no, .. } => assert_eq!(line_no, 3),
+            other => panic!("expected Parse error at line 3, got {other:?}"),
+        }
+    }
+
+    #[test]
+    fn read_jsonl_chain_verify_catches_reordered_events() {
+        // Build a chain, then write it out with the events swapped.
+        // Each individual event still verifies its own hash (because
+        // its prev_hash is internally consistent with what *it*
+        // claimed), but the cross-event chain check fires.
+        let mut original = WitnessChain::new();
+        original.append("a", b"1", 100);
+        original.append("b", b"2", 101);
+        let mut buf = Vec::new();
+        original.write_jsonl(&mut buf).unwrap();
+        let lines: Vec<&[u8]> = buf.split(|&b| b == b'\n').filter(|s| !s.is_empty()).collect();
+        // Reverse order, send through reader.
+        let mut reversed: Vec<u8> = Vec::new();
+        reversed.extend_from_slice(lines[1]);
+        reversed.push(b'\n');
+        reversed.extend_from_slice(lines[0]);
+        reversed.push(b'\n');
+        let err = WitnessChain::read_jsonl(reversed.as_slice()).unwrap_err();
+        assert!(matches!(err, WitnessReadError::Verify { .. }));
+    }
+
+    #[test]
+    fn read_jsonl_no_trailing_newline_still_works() {
+        // BufRead's lines() handles the no-final-newline case; lock
+        // the behavior so a future swap to a different reader can't
+        // silently truncate the last event.
+        let mut c = WitnessChain::new();
+        c.append("only", b"x", 100);
+        let mut buf = Vec::new();
+        c.write_jsonl(&mut buf).unwrap();
+        // Strip the trailing \n.
+        if buf.last() == Some(&b'\n') {
+            buf.pop();
+        }
+        let read = WitnessChain::read_jsonl(buf.as_slice()).unwrap();
+        assert_eq!(read.len(), 1);
+    }
+}

v2/crates/cog-ha-matter/src/witness_signing.rs

@@ -0,0 +1,231 @@
+//! `witness_signing` — Ed25519 signature layer over the witness chain.
+//!
+//! ADR-116 §2.2: every state transition must be signed by the
+//! Seed so a downstream auditor can prove the chain wasn't
+//! retroactively assembled. The chain primitive
+//! (`witness::WitnessChain`) handles hash linkage; this module
+//! adds the cryptographic attestation.
+//!
+//! Kept in a separate module from the chain itself so:
+//!
+//!   * the hash chain stays usable without `ed25519-dalek` linked
+//!     in (good for the `wasm32-unknown-unknown` cog variant we'll
+//!     ship for browser-side audit verification),
+//!   * key rotation invalidates *signatures* but not the chain —
+//!     the auditor only needs the new public key to re-verify,
+//!   * the signing surface stays small enough to audit in one
+//!     read.
+//!
+//! ## What gets signed
+//!
+//! `sign_event(event, key)` signs the same canonical byte form
+//! that `witness::hash_event` hashes. That means:
+//!
+//!   1. A signature commits to the entire event (kind, payload,
+//!      timestamp, seq, prev_hash) — no field can be retroactively
+//!      changed without invalidating both the hash AND the
+//!      signature.
+//!   2. The signature implicitly commits to the *chain position*
+//!      via `prev_hash` — splicing a signed event into a different
+//!      chain breaks verification.
+//!
+//! ## Key management
+//!
+//! Out of scope for this module. The cog runtime reads the Seed's
+//! Ed25519 signing key from the Cognitum control plane's secure
+//! key store (separate concern). Tests use a fixed-bytes seed for
+//! determinism — never check in real Seed keys here.
+
+use ed25519_dalek::{Signature, Signer, SigningKey, Verifier, VerifyingKey};
+
+use crate::witness::{canonical_bytes, WitnessEvent};
+
+/// Sign a witness event with the Seed's Ed25519 key. Returns the
+/// 64-byte Ed25519 signature over the event's canonical bytes —
+/// the same bytes `witness::hash_event` hashes, so a verifier that
+/// already trusts the hash chain only needs one extra check.
+pub fn sign_event(event: &WitnessEvent, key: &SigningKey) -> Signature {
+    let bytes = canonical_bytes(
+        event.prev_hash,
+        event.seq,
+        event.timestamp_unix_s,
+        &event.kind,
+        &event.payload,
+    );
+    key.sign(&bytes)
+}
+
+/// Verify an Ed25519 signature against a witness event using the
+/// Seed's public key. `Ok(())` iff the signature is valid for the
+/// event's canonical bytes under this key.
+pub fn verify_signature(
+    event: &WitnessEvent,
+    signature: &Signature,
+    public_key: &VerifyingKey,
+) -> Result<(), SignatureVerifyError> {
+    let bytes = canonical_bytes(
+        event.prev_hash,
+        event.seq,
+        event.timestamp_unix_s,
+        &event.kind,
+        &event.payload,
+    );
+    public_key
+        .verify(&bytes, signature)
+        .map_err(|_| SignatureVerifyError::Invalid)
+}
+
+#[derive(Debug, Clone, PartialEq, Eq, thiserror::Error)]
+pub enum SignatureVerifyError {
+    #[error("Ed25519 signature does not match event under this public key")]
+    Invalid,
+}
+
+/// Encode a signature as 128 hex chars (no `0x` prefix). Matches the
+/// hex convention the rest of the witness wire format uses.
+pub fn signature_to_hex(sig: &Signature) -> String {
+    let bytes = sig.to_bytes();
+    let mut s = String::with_capacity(128);
+    for b in bytes {
+        s.push_str(&format!("{b:02x}"));
+    }
+    s
+}
+
+/// Parse a 128-char lowercase-hex string back into a `Signature`.
+pub fn signature_from_hex(s: &str) -> Result<Signature, SignatureParseError> {
+    if s.len() != 128 {
+        return Err(SignatureParseError::Length { found: s.len() });
+    }
+    let mut bytes = [0u8; 64];
+    for (i, byte) in bytes.iter_mut().enumerate() {
+        let lo = i * 2;
+        *byte = u8::from_str_radix(&s[lo..lo + 2], 16)
+            .map_err(|_| SignatureParseError::Hex { at: lo })?;
+    }
+    Ok(Signature::from_bytes(&bytes))
+}
+
+#[derive(Debug, Clone, PartialEq, Eq, thiserror::Error)]
+pub enum SignatureParseError {
+    #[error("signature hex must be 128 chars, got {found}")]
+    Length { found: usize },
+    #[error("signature hex parse error at byte offset {at}")]
+    Hex { at: usize },
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use crate::witness::{WitnessChain, WitnessHash};
+
+    fn fixed_key() -> SigningKey {
+        // Deterministic test key — DO NOT use in production. The
+        // seed is `b"cog-ha-matter-unit-tests--------"` (32 bytes).
+        SigningKey::from_bytes(b"cog-ha-matter-unit-tests--------")
+    }
+
+    fn fresh_event() -> WitnessEvent {
+        let mut c = WitnessChain::new();
+        c.append("fall_risk_elevated", br#"{"node":"kitchen"}"#, 1779512400);
+        c.events()[0].clone()
+    }
+
+    #[test]
+    fn sign_and_verify_round_trip() {
+        let key = fixed_key();
+        let public = key.verifying_key();
+        let event = fresh_event();
+        let sig = sign_event(&event, &key);
+        verify_signature(&event, &sig, &public).expect("clean signature verifies");
+    }
+
+    #[test]
+    fn verify_rejects_signature_under_wrong_key() {
+        let key = fixed_key();
+        let other = SigningKey::from_bytes(b"different-key-different-key-----");
+        let event = fresh_event();
+        let sig = sign_event(&event, &key);
+        // Same event, signature from `key`, but verify under `other`'s
+        // public key — must fail.
+        let err = verify_signature(&event, &sig, &other.verifying_key()).unwrap_err();
+        assert_eq!(err, SignatureVerifyError::Invalid);
+    }
+
+    #[test]
+    fn verify_rejects_tampered_event() {
+        // Sign one event, then mutate the payload and verify the
+        // *mutated* event under the same signature. Must fail.
+        let key = fixed_key();
+        let public = key.verifying_key();
+        let mut event = fresh_event();
+        let sig = sign_event(&event, &key);
+        event.payload = b"forged-after-sign".to_vec();
+        let err = verify_signature(&event, &sig, &public).unwrap_err();
+        assert_eq!(err, SignatureVerifyError::Invalid);
+    }
+
+    #[test]
+    fn verify_rejects_event_with_wrong_prev_hash() {
+        // Same payload + kind, but the event claims a different
+        // chain position. Cryptographically bound to prev_hash via
+        // canonical bytes.
+        let key = fixed_key();
+        let public = key.verifying_key();
+        let mut event = fresh_event();
+        let sig = sign_event(&event, &key);
+        event.prev_hash = WitnessHash([0x77; 32]);
+        let err = verify_signature(&event, &sig, &public).unwrap_err();
+        assert_eq!(err, SignatureVerifyError::Invalid);
+    }
+
+    #[test]
+    fn signature_hex_round_trip() {
+        let key = fixed_key();
+        let event = fresh_event();
+        let sig = sign_event(&event, &key);
+        let hex = signature_to_hex(&sig);
+        assert_eq!(hex.len(), 128);
+        assert!(hex.chars().all(|c| c.is_ascii_hexdigit() && !c.is_ascii_uppercase()));
+        let parsed = signature_from_hex(&hex).unwrap();
+        assert_eq!(parsed.to_bytes(), sig.to_bytes());
+    }
+
+    #[test]
+    fn signature_from_hex_rejects_wrong_length() {
+        let err = signature_from_hex("abcd").unwrap_err();
+        assert_eq!(err, SignatureParseError::Length { found: 4 });
+    }
+
+    #[test]
+    fn signature_from_hex_rejects_non_hex() {
+        // 128 chars but non-hex.
+        let bad = "Z".repeat(128);
+        let err = signature_from_hex(&bad).unwrap_err();
+        assert!(matches!(err, SignatureParseError::Hex { at: 0 }));
+    }
+
+    #[test]
+    fn signature_is_deterministic_for_same_event_and_key() {
+        // Ed25519 is deterministic; locking this means a future
+        // accidental switch to a randomized scheme (RustCrypto's
+        // optional rand-based API) fires a named test.
+        let key = fixed_key();
+        let event = fresh_event();
+        let sig1 = sign_event(&event, &key);
+        let sig2 = sign_event(&event, &key);
+        assert_eq!(sig1.to_bytes(), sig2.to_bytes());
+    }
+
+    #[test]
+    fn different_events_produce_different_signatures() {
+        let key = fixed_key();
+        let mut a = fresh_event();
+        let mut b = fresh_event();
+        a.payload = b"a".to_vec();
+        b.payload = b"b".to_vec();
+        let sig_a = sign_event(&a, &key);
+        let sig_b = sign_event(&b, &key);
+        assert_ne!(sig_a.to_bytes(), sig_b.to_bytes());
+    }
+}