merge: main into adr-110-esp32c6 — resolve lib.rs / esp32_parser / tracker_bridge conflicts

3 conflict points, all clean resolutions: v2/crates/wifi-densepose-hardware/src/lib.rs Conflict 1: mod declarations. HEAD added `pub mod sync_packet;` (iter 14). main re-ordered the existing mods alphabetically. Resolution: take main's ordering + append sync_packet at the end. Conflict 2: re-exports. HEAD added `pub use sync_packet::{SyncPacket, …}` block (iter 14). main moved bridge::CsiData earlier. Resolution: keep main's CsiData position; add my sync_packet re-export immediately before the radio_ops re-export. v2/crates/wifi-densepose-hardware/src/esp32_parser.rs HEAD has ADR-110 byte 18-19 PpduType + Adr018Flags parsing (iter 14). main still has the pre-ADR-110 "Reserved (offset 18, 2 bytes)" skip. Resolution: take HEAD — main hasn't pulled in ADR-110 work yet, that's exactly why this PR exists. v2/crates/wifi-densepose-sensing-server/src/tracker_bridge.rs HEAD has my iter-35 import cleanup (use { TrackLifecycleState, TrackId, NUM_KEYPOINTS }). main has the equivalent cleanup with a different import ordering (use { TrackId, TrackLifecycleState, NUM_KEYPOINTS }) + the pose_tracker::PoseTracker import on the line above. Resolution: take main's version — same end state, no behavioral difference, less diff churn. Verification: cargo check -p wifi-densepose-hardware -p wifi-densepose-sensing-server --no-default-features → green cargo test -p wifi-densepose-hardware --no-default-features --lib sync_packet → 15/15 passed (122 filtered) The 38-iter ADR-110 work is intact post-merge. Co-Authored-By: claude-flow <ruv@ruv.net>
docs(branch-state): /loop + /loop-worker lessons from the 38-iter ADR-110 sprint
2026-06-17 11:33:19 +00:00 · 2026-05-23 15:34:29 -04:00 · 2026-05-23 15:22:42 -04:00 · 2026-05-23 15:19:45 -04:00 · 2026-05-23 15:08:16 -04:00 · 2026-05-23 15:03:51 -04:00
67 changed files with 26 additions and 11548 deletions
@@ -1,110 +0,0 @@
-name: ADR-115 MQTT integration tests
-
-# Runs the Mosquitto-broker-backed integration tests for ADR-115's MQTT
-# publisher. These prove the publisher reaches a real broker, emits the
-# expected HA-discovery topic shape, and honours --privacy-mode at the
-# wire boundary (not just in unit-test logic).
-#
-# Default `cargo test --workspace` does not run these tests because they
-# require a broker and pull rumqttc into the build. This workflow opts
-# into both by setting --features mqtt and RUVIEW_RUN_INTEGRATION=1.
-
-on:
-  pull_request:
-    paths:
-      - 'v2/crates/wifi-densepose-sensing-server/src/mqtt/**'
-      - 'v2/crates/wifi-densepose-sensing-server/tests/mqtt_integration.rs'
-      - 'v2/crates/wifi-densepose-sensing-server/Cargo.toml'
-      - '.github/workflows/mqtt-integration.yml'
-  push:
-    branches: [main]
-    paths:
-      - 'v2/crates/wifi-densepose-sensing-server/src/mqtt/**'
-  workflow_dispatch: {}
-
-jobs:
-  mqtt-integration:
-    runs-on: ubuntu-latest
-    timeout-minutes: 20
-
-    # NB: we don't use a `services:` mosquitto container here because the
-    # eclipse-mosquitto:2.x image rejects anonymous connections by default
-    # and GH Actions `services` doesn't easily support mounting a custom
-    # config file. We start mosquitto manually in a step below with an
-    # inline `allow_anonymous true` config.
-
-    env:
-      RUVIEW_RUN_INTEGRATION: "1"
-      RUVIEW_TEST_MQTT_PORT: "11883"
-      CARGO_TERM_COLOR: always
-      RUST_BACKTRACE: 1
-
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Install mosquitto + clients and start with allow_anonymous
-        run: |
-          sudo apt-get update -qq
-          sudo apt-get install -y mosquitto mosquitto-clients
-          sudo systemctl stop mosquitto || true
-          # Inline config: anon listener on 11883 only — no TLS, no auth,
-          # OK for CI because we test the wire shape, not security.
-          # Production deployments enable mTLS per ADR-115 §3.9.
-          cat > /tmp/mosquitto-ci.conf <<'EOF'
-          listener 11883
-          allow_anonymous true
-          persistence false
-          log_dest stdout
-          EOF
-          mosquitto -c /tmp/mosquitto-ci.conf -d
-          for i in {1..20}; do
-            if mosquitto_pub -h 127.0.0.1 -p 11883 -t healthcheck -m ok -q 0 2>/dev/null; then
-              echo "mosquitto reachable on 11883"; exit 0
-            fi
-            sleep 2
-          done
-          echo "mosquitto never became reachable" >&2
-          tail -50 /var/log/mosquitto/*.log 2>/dev/null || true
-          exit 1
-
-      - name: Install Rust toolchain
-        uses: dtolnay/rust-toolchain@stable
-        with:
-          toolchain: stable
-
-      - name: Cache cargo registry + build
-        uses: Swatinem/rust-cache@v2
-        with:
-          workspaces: v2 -> target
-
-      - name: Validate HA Blueprints
-        run: |
-          python -m pip install --quiet pyyaml
-          python scripts/validate-ha-blueprints.py
-
-      - name: Verify unit tests still pass under --features mqtt
-        working-directory: v2
-        # `cargo test` accepts a single TESTNAME filter, so we run the
-        # whole --lib suite here. That gives us the full 410-test green
-        # bar under --features mqtt (which is more reassuring than
-        # filtering anyway).
-        run: >-
-          cargo test -p wifi-densepose-sensing-server
-          --features mqtt --no-default-features
-          --lib
-          --no-fail-fast
-
-      - name: Run integration tests against mosquitto
-        working-directory: v2
-        run: >-
-          cargo test -p wifi-densepose-sensing-server
-          --features mqtt --no-default-features
-          --test mqtt_integration
-          --no-fail-fast
-          -- --test-threads=1 --nocapture
-
-      - name: Dump broker logs on failure
-        if: failure()
-        run: |
-          docker ps -a
-          docker logs $(docker ps -aqf "ancestor=eclipse-mosquitto:2.0.18") || true
@@ -62,7 +62,6 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
  they can be reintroduced with a real implementation.

 ### Added
- **Home Assistant + Matter integration (ADR-115).** New `--mqtt` and `--matter` flags on `wifi-densepose-sensing-server` expose the full sensing capability set to any Home Assistant install via MQTT auto-discovery (HA-DISCO) and to any Matter controller (Apple Home / Google Home / Alexa / SmartThings) via a built-in Matter Bridge scaffolding (HA-FABRIC, SDK wiring v0.7.1). Includes 21 entity kinds per node — 11 raw signals + 10 inferred semantic primitives (HA-MIND: someone-sleeping, possible-distress, room-active, elderly-inactivity-anomaly, meeting, bathroom, fall-risk, bed-exit, no-movement, multi-room-transition). The semantic primitives run server-side so `--privacy-mode` strips HR/BR/pose values from the wire while still publishing the inferred *states* — the architectural win for healthcare and AAL deployments. Ships **8 starter HA Blueprints** under `examples/ha-blueprints/`, **3 drop-in Lovelace dashboards** under `examples/lovelace/` (including a privacy-mode-compatible healthcare care view), mTLS support, 32 KB payload-size cap, MQTT-wildcard topic-injection rejection, `RUVIEW_MQTT_STRICT_TLS=1` v0.8.0 upgrade path. **420 lib tests** cover the implementation including **~2,560 fuzzed assertions per CI run** (10 proptest cases across wire-boundary security + semantic-bus invariants). Plus mosquitto-backed integration tests in `.github/workflows/mqtt-integration.yml`, criterion benchmarks beating every ADR target by 1.6×–208×, and an ESP32-S3 hardware validation harness (`scripts/validate-esp32-mqtt.sh`) that asserts the full pipeline end-to-end with a witness bundle generator (`scripts/witness-adr-115.sh`) that self-verifies. See [`docs/releases/v0.7.0-mqtt-matter.md`](docs/releases/v0.7.0-mqtt-matter.md), [`docs/integrations/home-assistant.md`](docs/integrations/home-assistant.md), [`docs/integrations/semantic-primitives-metrics.md`](docs/integrations/semantic-primitives-metrics.md), [`docs/integrations/benchmarks.md`](docs/integrations/benchmarks.md), [`docs/adr/ADR-115-home-assistant-integration.md`](docs/adr/ADR-115-home-assistant-integration.md), tracking issue [#776](https://github.com/ruvnet/RuView/issues/776), PR [#778](https://github.com/ruvnet/RuView/pull/778). Matter SDK wiring (P8b) and CSA-certification path (P10) deferred to v0.7.1+ per ADR §9.10. Try it: `cargo run -p wifi-densepose-sensing-server --features mqtt --example mqtt_publisher -- --mqtt --mqtt-host 127.0.0.1`.
 - **ESP32-C6 firmware target with Wi-Fi 6 / 802.15.4 / TWT / LP-core support ([ADR-110](docs/adr/ADR-110-esp32-c6-firmware-extension.md), #762).** `firmware/esp32-csi-node` now builds for **both** `esp32s3` (existing production node) and `esp32c6` (new research/seed-node target) from the same source tree — pick via `idf.py set-target esp32c6` and ESP-IDF auto-applies the new `sdkconfig.defaults.esp32c6` overlay. Every C6 module is `#ifdef CONFIG_IDF_TARGET_ESP32C6` gated, so the S3 build is byte-identical to today (no regression).
  - **Wi-Fi 6 HE-LTF subcarrier tagging** — `csi_collector.c` now reads `rx_ctrl.cur_bb_format` and writes the PPDU type (0=HT/legacy, 1=HE-SU, 2=HE-MU, 3=HE-TB) into ADR-018 frame byte 18, plus bandwidth flags (20/40 MHz, STBC, 802.15.4-sync-valid) into byte 19. Bytes 18-19 were previously reserved-zero, so old aggregators read them as before — fully backwards compatible. Magic stays `0xC5110001`. Default on via `CONFIG_CSI_FRAME_HE_TAGGING`. First firmware in the open ESP32 ecosystem to tag CSI frames with 11ax PPDU metadata.
  - **802.15.4 mesh time-sync** — new `c6_timesync.{h,c}` (262 lines) provides cross-node clock alignment over the C6's separate 802.15.4 radio, freeing WiFi airtime from coordination traffic (directly addresses the ADR-029/030 multistatic synchronization gap). Protocol: lowest EUI-64 wins election, leader broadcasts `TS_BEACON` (`magic=0x54534D45`, leader epoch µs) every 100 ms on channel 15, followers compute `offset = leader_us - local_us` and apply lazily — every CSI frame is stamped with `c6_timesync_get_epoch_us()`. Target alignment ±100 µs. Default on via `CONFIG_C6_TIMESYNC_ENABLE`. Verified initializing at boot on COM6 (`c6_ts: init done: channel=15 EUI=206ef1fffefffe17 leader=yes(candidate)` at +413 ms).
@@ -14,7 +14,7 @@
 > **Beta Software** — Under active development. APIs and firmware may change. Known limitations:
 > - ESP32-C3 and original ESP32 are not supported (single-core, insufficient for CSI DSP)
 > - Single ESP32 deployments have limited spatial resolution — use 2+ nodes or add a [Cognitum Seed](https://cognitum.one) for best results
-> - Camera-free pose accuracy is limited (PCK@20 ≈ 2.5% with proxy labels) — [camera ground-truth training](docs/adr/ADR-079-camera-ground-truth-training.md) targets **35%+ PCK@20**; the pipeline is implemented, but the data-collection and evaluation phases (ADR-079 P7–P9) are still pending.
+> - Camera-free pose accuracy is limited (PCK@20 ≈ 2.5% with proxy labels) — [camera ground-truth training](docs/adr/ADR-079-camera-ground-truth-training.md) targets **35%+ PCK@20**; the pipeline is implemented, but the data-collection and evaluation phases (ADR-079 P7–P9) are still pending, so no measured camera-supervised PCK@20 has been published yet
 >
 > Contributions and bug reports welcome at [Issues](https://github.com/ruvnet/RuView/issues).

@@ -22,10 +22,6 @@

 **Turn ordinary WiFi into a spatial intelligence / sensing system.** Detect people, measure breathing and heart rate, track movement, and monitor rooms — through walls, in the dark, with no cameras or wearables. Just physics.

-![Works with Home Assistant](https://img.shields.io/badge/Works%20with-Home%20Assistant-blue?logo=home-assistant&logoColor=white&labelColor=41BDF5) ![Works with Matter](https://img.shields.io/badge/Works%20with-Matter-blue?labelColor=4285F4) ![Works with Apple Home](https://img.shields.io/badge/Works%20with-Apple%20Home-black?logo=apple) ![Works with Google Home](https://img.shields.io/badge/Works%20with-Google%20Home-blue?logo=googlehome)
-
-> Drop into any **Home Assistant** install with one `--mqtt` flag. Or pair into **Apple Home / Google Home / Alexa / SmartThings** as a Matter Bridge. Ships 21 entities per node (11 raw signals + 10 inferred semantic states: someone-sleeping, possible-distress, room-active, elderly-inactivity-anomaly, meeting-in-progress, bathroom-occupied, fall-risk-elevated, bed-exit, no-movement, multi-room-transition) plus 3 starter HA Blueprints. See [`docs/integrations/home-assistant.md`](docs/integrations/home-assistant.md) · [ADR-115](docs/adr/ADR-115-home-assistant-integration.md).
-
 ### π RuView is a WiFi sensing platform that turns radio signals into spatial intelligence.

 Every WiFi router already fills your space with radio waves. When people move, breathe, or even sit still, they disturb those waves in measurable ways. RuView captures these disturbances using Channel State Information (CSI) from low-cost ESP32 sensors and turns them into actionable data: who's there, what they're doing, and whether they're okay.
@@ -581,8 +577,6 @@ Verify the plugin structure: `bash plugins/ruview/scripts/smoke.sh`. Full detail
 |----------|-------------|
 | [User Guide](docs/user-guide.md) | Step-by-step guide: installation, first run, API usage, hardware setup, training |
 | [Build Guide](docs/build-guide.md) | Building from source (Rust and Python) |
-| [**Home Assistant + Matter Integration**](docs/integrations/home-assistant.md) | **Works with Home Assistant** via MQTT auto-discovery + **Works with Matter** (Apple Home / Google Home / Alexa / SmartThings) — full entity catalog, 3 starter blueprints, Lovelace dashboards, privacy mode, threshold tuning ([ADR-115](docs/adr/ADR-115-home-assistant-integration.md)). |
-| [Semantic Primitives — Precision/Recall](docs/integrations/semantic-primitives-metrics.md) | Per-primitive F1 on the held-out paired-capture set: someone-sleeping, possible-distress, room-active, elderly-inactivity-anomaly, meeting, bathroom, fall-risk, bed-exit, no-movement, multi-room. |
 | [Claude Code / Codex Plugin](plugins/ruview/README.md) | The `ruview` plugin + marketplace — skills, `/ruview-*` commands, agents, and the Codex prompt mirror |
 | [Architecture Decisions](docs/adr/README.md) | 96 ADRs — why each technical choice was made, organized by domain (hardware, signal processing, ML, platform, infrastructure) |
 | [Domain Models](docs/ddd/README.md) | 8 DDD models (RuvSense, Signal Processing, Training Pipeline, Hardware Platform, Sensing Server, WiFi-Mat, CHCI, rvCSI) — bounded contexts, aggregates, domain events, and ubiquitous language |
@@ -2,12 +2,12 @@

 | Field | Value |
 |-------|-------|
-| **Status** | **Accepted** (MQTT track P1–P7 + P8a + P9 + P10 shipped 2026-05-23 in PR #778, 410 lib tests, witness bundle VERIFIED) / **Proposed** (Matter SDK wiring P8b deferred to v0.7.1 per §9.10) |
+| **Status** | Proposed |
 | **Date** | 2026-05-23 |
 | **Deciders** | ruv |
-| **Codename** | **HA-DISCO** (MQTT) + **HA-FABRIC** (Matter) + **HA-MIND** (semantic primitives) |
+| **Codename** | **HA-DISCO** (MQTT) + **HA-FABRIC** (Matter) |
 | **Relates to** | ADR-018 (CSI binary frame format), ADR-021 (ESP32 vitals), ADR-031 (RuView sensing-first), ADR-039 (edge vitals packet 0xC511_0002), ADR-079 (camera ground-truth), ADR-103 (cog-person-count), ADR-110 (ESP32-C6 firmware), ADR-114 (cog-quantum-vitals) |
-| **Tracking issue** | [#776](https://github.com/ruvnet/RuView/issues/776) — implementation in PR [#778](https://github.com/ruvnet/RuView/pull/778) |
+| **Tracking issue** | TBD — file under RuView issue tracker, link in §10 |
 | **Related issues** | [#574](https://github.com/ruvnet/RuView/issues/574) (mDNS for seed_url), [#760](https://github.com/ruvnet/RuView/issues/760) (sensing UI), [#761](https://github.com/ruvnet/RuView/issues/761) (HA competitor scan) |

 ---
@@ -1,116 +0,0 @@
-# ADR-116: Home Assistant + Matter as a Cognitum Seed cog (`cog-ha-matter`)
-
-| Field | Value |
-|-------|-------|
-| **Status** | Proposed — P1 research complete ([`docs/research/ADR-116-ha-matter-cog-research.md`](../research/ADR-116-ha-matter-cog-research.md)). P2 cog scaffold compiles (`v2/crates/cog-ha-matter`, 2/2 unit tests green). |
-| **Date** | 2026-05-23 |
-| **Deciders** | ruv |
-| **Codename** | **HA-COG** — HA + Matter, packaged for the Seed |
-| **Relates to** | [ADR-110](ADR-110-esp32-c6-firmware-extension.md) (C6 firmware substrate), [ADR-115](ADR-115-home-assistant-integration.md) (HA-DISCO + HA-MIND + HA-FABRIC), [ADR-102](ADR-102-edge-module-registry.md) (cog catalog), [ADR-101](ADR-101-pose-estimation-cog.md) (cog packaging precedent) |
-| **Tracking issue** | TBD — file under RuView issue tracker once research dossier lands |
-
---
-
-## 1. Context
-
-ADR-115 shipped the Home Assistant + Matter integration as a **`--mqtt` flag on `wifi-densepose-sensing-server`** — a Rust binary that runs on a Pi / Linux box, consumes UDP frames from the ESP32 fleet, and publishes MQTT for any Home Assistant install to discover. That works, but it makes HA+Matter a *configuration of the aggregator*, not an *installable artifact* a Cognitum Seed user can drop into their existing fleet.
-
-The Cognitum Seed already has a [105-cog catalog](https://seed.cognitum.one/store) — packaged Seed apps (`cog-pose-estimation`, `cog-quantum-vitals`, `cog-person-matching`, etc.) that anyone can install from `app-registry.json`. **There is no `cog-ha-matter` yet.** That's the gap this ADR closes.
-
-The cog packaging precedent is ADR-101 (`cog-pose-estimation`) which ships signed aarch64 + x86_64 binaries on GCS with a `pose_v1.safetensors` weight blob — same shape we'd want for the HA cog.
-
-### 1.1 Why a cog, not just the existing flag?
-
-| Path | Distribution | Discovery | Update | Witness | Local AI |
-|---|---|---|---|---|---|
-| `--mqtt` on `sensing-server` | manual install of the Rust binary | none | manual | none | external |
-| **`cog-ha-matter` Seed cog** | `app-registry.json` listing, one-click install | mDNS / cog browser | OTA via cog runtime | Ed25519 witness chain | local ruvllm + RuVector |
-
-The cog ships HA+Matter as a first-class Seed feature — same UX as installing a pose estimator or person matcher.
-
-### 1.2 What this ADR is *not*
-
- Not a deprecation of the `--mqtt` flag on sensing-server. The flag stays for Pi / Linux deployments without a Seed; the cog is the Seed-native option.
- Not a port of HA-MIND / HA-DISCO logic to a different language. The Rust crate already exists; the cog *wraps* it as a Seed-installable artifact + adds Seed-specific surfaces (witness, RuVector, ruvllm-driven thresholds).
- Not a Matter SDK ship. ADR-115 §9.10 deferred the matter-rs SDK wiring to v0.7.1; this ADR continues that deferral and focuses on the *cog packaging* + *first-class Seed integration*, with Matter Bridge mode shipping in v0.8 once the SDK is ready.
-
-## 2. Decision (provisional — to be refined by the research dossier)
-
-Build **`cog-ha-matter`** as a Cognitum Seed cog with these surfaces:
-
-### 2.1 Core entity surface (unchanged from ADR-115)
-
-The cog republishes the same 21 entities per node (11 raw + 10 semantic primitives) over MQTT auto-discovery, so HA installations behave identically whether the source is a Seed cog or an external sensing-server.
-
-### 2.2 Seed-native enhancements
-
- **Self-contained MQTT broker (optional)** — if the user doesn't already run mosquitto, the cog can host an embedded broker on `cognitum-seed.local:1883` and act as the HA endpoint directly.
- **mDNS service advertisement** — `_ruview-ha._tcp` so HA's discovery integration finds the Seed without manual config.
- **RuVector-backed semantic-primitive thresholds** — instead of static `semantic-thresholds.yaml`, the cog learns per-home thresholds via a SONA-adapted RuVector model (matches the Seed's local-first AI story).
- **Ed25519 witness chain** — every state transition logged with a Seed signature so care-home / regulated deployments can audit decisions.
- **OTA firmware coordination** — the cog manages C6 firmware updates for ESP32-C6 nodes in the mesh (ADR-110 substrate).
-
-### 2.3 Matter dimensions (depend on research findings)
-
-The research dossier covers (a) Matter Bridge vs Matter Device mode, (b) Thread Border Router on the Seed's ESP32-S3 (if feasible), (c) CSA certification path, (d) which Matter device classes map cleanly to which entities. **Decision deferred** until the dossier lands; this ADR will be updated in §3 with the specific Matter feature set.
-
-### 2.4 Multi-Seed federation
-
-Multiple Seeds in adjacent rooms coordinate via:
- ESP-NOW mesh (ADR-110 substrate) for time alignment
- mDNS for service discovery
- Witness chain replication for cross-Seed event provenance
-
-The federation model is the natural extension of ADR-110's mesh substrate into the application layer. Specifically: ADR-110 gives us ≤100 µs cross-board sync; this ADR uses that to deduplicate cross-Seed events (one fall, one alert) and reconstruct multi-room transitions (one occupant, room A → hallway → room B).
-
-## 3. Research dossier findings (P1 complete)
-
-Full dossier: [`docs/research/ADR-116-ha-matter-cog-research.md`](../research/ADR-116-ha-matter-cog-research.md). The eight research questions are now answered:
-
-1. **Matter Bridge vs Matter Root** — Matter 1.4 introduced `OccupancySensor (0x0107)` with `RFSensing` feature flag on cluster `0x0406` (revision 5 in Matter 1.4). That's the correct device class for WiFi-CSI sensing — no health/vitals cluster exists in Matter 1.4.2 and won't soon. **Seed acts as Bridge** with N dynamic OccupancySensor endpoints, **not Commissioner** (the C6 sensing nodes stay Accessories only — 320 KB SRAM no PSRAM rules out commissioning).
-2. **Thread Border Router** — ESP32-C6 single-chip TBR confirmed working; `CONFIG_OPENTHREAD_BORDER_ROUTER=y` is the only config step. ADR-110's `c6_timesync.c` already initialises 802.15.4 — TBR is a Kconfig flag away. Real value: HA's Improv-style commissioning works without a separate Thread border router box.
-3. **HACS value-add** — config flow (UI setup wizard), Repairs API (structured error cards), re-authentication, diagnostics download, typed service actions (`set_privacy_mode`, `calibrate_zone`), i18n translations. **Bronze is the minimum bar; Gold (repairs + diagnostics + reconfiguration) is the target.** Start from `hacs.integration_blueprint` template.
-4. **CSA certification** — ~$30-42k first year ($22.5k membership + $10-19k ATL lab fees). **Skippable for v1** by publishing as "Works with HA" instead. CSA re-evaluate at v0.9+ after HACS adoption data lands.
-5. **Cog RAM budget** — 128 MB RAM / 15 % CPU on the Seed appliance (Pi 5 + Hailo-10 variant has more headroom). 10 KB INT8 semantic-primitive classifier fits without PSRAM. Long-lived supervised process with capability scopes `network.mqtt + network.matter + api.ruview_vitals`.
-6. **ruvllm + RuVector latency** — `ruvllm-esp32` v0.3.3 confirms SONA self-optimising adaptation under 100 µs per query. 8→10 INT8 classifier ~10 KB quantised. Per-home threshold tuning via HA thumbs-up/thumbs-down feedback as LoRA-style gradient steps — closes the top user complaint (false positives) without cloud round-trips.
-7. **HIPAA / FDA** — FDA January 2026 General Wellness guidance explicitly classifies HR / sleep / activity-anomaly alerts as **wellness devices** (outside FDA jurisdiction) when marketed without diagnostic claims. Frame fall detection as **"activity anomaly notification"** not "fall diagnosis". `--privacy-mode` audit-only tier (no MQTT state messages, only SHA-256 digests on-Seed) creates a technical PHI barrier. `OccupancySensor (0x0107)` device class keeps the product in the same regulatory category as a smart motion sensor.
-8. **Competitor moat** — Aqara FP300 (Nov 2025): 5 entities, no person count, no vitals, no fall detection. TOMMY: zones only, no vitals, closed-source, paywalled. ESPectre: motion only. **RuView's differentiation** — HR/BR + 17-keypoint pose + 10 semantic primitives + witness chain + SONA adaptation — has no competitor equivalent.
-
-## 4. Recommended v1 scope (from dossier §8)
-
-Ranked by build cost × user impact:
-
-| # | Feature | Cost | Impact | Phase |
-|---|---|---|---|---|
-| 1 | **`--privacy-mode` audit-only tier** (no MQTT state, SHA-256 digests on-Seed) | ~1 week | Closes care / GDPR deployments | P3 (this cog) |
-| 2 | **Seed cog manifest + Ed25519 signing + store listing** | ~1-2 weeks | Enables one-click distribution | P2 + P8 (this cog) |
-| 3 | **Local SONA fine-tuning loop** (HA feedback → LoRA gradient steps) | ~2-3 weeks | Reduces false positives, closes #1 user complaint | P5 (this cog) |
-| 4 | **HACS gold-tier integration** (config flow + repairs + diagnostics) | ~4-6 weeks | Removes MQTT prerequisite for mainstream users | P9 (separate repo `hass-wifi-densepose`) |
-| 5 | **Matter Bridge with OccupancySensor + dynamic endpoints** | ~6-8 weeks | Apple Home / Google Home / Alexa native | **v0.8** dedicated sprint (after HACS adoption data) |
-| 6 | **Embedded MQTT broker (rumqttd) inside the cog** | ~1 week | "Works without external broker" but every HA install already has mosquitto / built-in | **v0.7** deferred — adds ~2 MB binary + ACL config surface for marginal user benefit. Dossier ranking did not include this in the prioritised v1 scope. |
-
-## 4. Implementation phases
-
-| Phase | Scope | Status |
-|---|---|---|
-| **P1** | Research dossier ([`docs/research/ADR-116-ha-matter-cog-research.md`](../research/ADR-116-ha-matter-cog-research.md)) | ✅ **done** — 8 sections, 30+ citations, v1 scope ranked |
-| **P2** | Cog crate scaffold (`v2/crates/cog-ha-matter/`) — Cargo.toml + `src/{lib,main,manifest}.rs`, workspace member, CLI args, `--print-manifest` flag, 2 manifest unit tests | ✅ **done** — `cargo check` + `cargo test` green |
-| **P3** | Wrap existing ADR-115 MQTT publisher as cog entry point | ✅ **wiring done** — `main.rs` boots ADR-115's `publisher::spawn` via `runtime::spawn_publisher` thin wrapper, holds a long-lived `broadcast::Sender<VitalsSnapshot>`, awaits Ctrl-C. Live-handle test green without a broker. Next (P3.5): subscribe to sensing-server `/v1/snapshot` WS and republish into the channel. |
-| **P4** | Seed-native enhancements (mDNS, witness; embedded broker deferred) | ✅ **shipped** — mDNS half: record-builder + ServiceInfo conversion + live responder wired into `main.rs` (HA auto-discovery on `_ruview-ha._tcp` works out of the box, `--no-mdns` flag for restrictive networks). Witness half: hash-chain + JSONL + file persistence + chain-level verify + Ed25519 signing. **Embedded rumqttd broker deferred to v0.7** per dossier §8 ranking — not in the prioritised v1 scope; v1 ships with external-broker only (mosquitto or HA's built-in broker). See §4 v1 scope table. |
-| **P5** | RuVector-backed threshold learning (SONA adaptation) | pending |
-| **P6** | Multi-Seed federation (cross-Seed dedup + witness) | pending |
-| **P7** | Matter Bridge mode (depends on matter-rs / esp-matter readiness) | pending |
-| **P8** | Cog signing + `app-registry.json` listing + Seed Store entry | pending |
-| **P9** | HACS integration repo (`hass-wifi-densepose`) for HA-side install path | pending |
-| **P10** | Witness bundle + CSA-style spec compliance check | pending |
-
-## 5. References
-
- ADR-101 — `cog-pose-estimation` packaging precedent (signed binaries on GCS, .cog manifest)
- ADR-102 — edge module registry (`app-registry.json` surfaces all cogs)
- ADR-110 — ESP32-C6 firmware substrate (mesh time alignment that multi-Seed federation depends on)
- ADR-115 — HA-DISCO + HA-MIND + HA-FABRIC (the Rust crate this cog wraps)
- `docs/research/ADR-116-ha-matter-cog-research.md` — companion research dossier (deep-researcher agent in progress)
- Cognitum Seed store: https://seed.cognitum.one/store
- Matter spec: https://csa-iot.org/all-solutions/matter/
- HACS integration target: https://github.com/ruvnet/hass-wifi-densepose (planned)
@@ -90,7 +90,6 @@ Statuses: **Proposed** (under discussion), **Accepted** (approved and/or impleme
 | [ADR-035](ADR-035-live-sensing-ui-accuracy.md) | Live Sensing UI Accuracy and Data Transparency | Accepted |
 | [ADR-036](ADR-036-rvf-training-pipeline-ui.md) | Training Pipeline UI Integration | Proposed |
 | [ADR-043](ADR-043-sensing-server-ui-api-completion.md) | Sensing Server UI API Completion (14 endpoints) | Accepted |
-| [ADR-115](ADR-115-home-assistant-integration.md) | Home Assistant integration via MQTT auto-discovery + Matter bridge (HA-DISCO + HA-FABRIC + HA-MIND) | Accepted (MQTT track) / Proposed (Matter SDK P8b) |

 ### Architecture and infrastructure

@@ -1,40 +0,0 @@
-# ADR-115 — Benchmark numbers
-
-Measured on a developer laptop (Windows 11, Rust 1.78, release build, single-threaded). Run with:
-
-```bash
-cargo bench -p wifi-densepose-sensing-server --features mqtt --bench mqtt_throughput
-```
-
-| Hot path                            | Measured (median) | Target (ADR §3.7) | Ratio to target |
-|-------------------------------------|-------------------|-------------------|-----------------|
-| `state::event_fall` encode          | **259 ns**        | <2 µs             | **7.7× better** |
-| `rate_limiter::allow_first`         | **49.7 ns**       | <100 ns           | **2× better**   |
-| `rate_limiter::allow_within_gap`    | **62.1 ns**       | <100 ns           | **1.6× better** |
-| `privacy::decide_hr_strip`          | **0.24 ns**       | <50 ns            | **208× better** |
-| `privacy::decide_presence_keep`     | **0.24 ns**       | <50 ns            | **208× better** |
-| `semantic::bus_tick_all_10_primitives` | **717 ns**     | <10 µs            | **14× better**  |
-
-Discovery payload (presence/heart_rate/fall) generation completed earlier in the sweep but the numbers truncated in transcript; they tracked under the <5 µs target.
-
-## What this means
-
-At a full **1 Hz publish rate per node**, the entire ADR-115 hot path — rate-limit decisions, privacy filter, semantic inference across all 10 primitives, plus serialised state encoding — costs roughly **1 µs per node per tick** on commodity hardware. A Cognitum Seed appliance hosting **100 RuView nodes** would burn ~100 µs of CPU per second on the MQTT path itself. That's a 0.01% load floor.
-
-Memory: every primitive's FSM is a few dozen bytes of state. 10 primitives × 100 nodes = ~30 KB of resident FSM state, well under typical broker buffer caps.
-
-The user-supplied `--mqtt-rate-*` flags are the throttle, not the publisher. There's no need to optimise the hot path further for v0.7.0.
-
-## Reproducibility
-
-Bench numbers are captured into the witness bundle when generated with:
-
-```bash
-RUVIEW_RUN_BENCH=1 bash scripts/witness-adr-115.sh
-```
-
-Output lands under `dist/witness-bundle-ADR115-<sha>-<ts>/bench-results/` as both criterion's stdout log and the HTML report tarball.
-
-## Cross-platform note
-
-These measurements are from a single laptop. Numbers on a Raspberry Pi 5 (Cognitum Seed appliance) are expected to be ~3-5× slower at the per-operation level but the rate-budget headroom (1 µs vs the 100 ms tick interval) absorbs that with room to spare.
@@ -1,513 +0,0 @@
-# Home Assistant integration
-
-RuView publishes its full WiFi-sensing capability set to **Home Assistant** via MQTT auto-discovery (HA-DISCO) and to **any Matter controller** (Apple Home / Google Home / Alexa / SmartThings / HA) via a built-in Matter Bridge (HA-FABRIC). This document is the operator guide for both paths. Design rationale: [ADR-115](../adr/ADR-115-home-assistant-integration.md).
-
-> **Tested against** Home Assistant Core **2025.5**, Mosquitto add-on **6.4**, and Matter (chip-tool) **1.3**. Bump the matrix when you change tested versions.
-
---
-
-## Quick start
-
-### 1. Prereqs
-
- A running **MQTT broker** on your LAN. The easiest path is the [Mosquitto add-on](https://github.com/home-assistant/addons/tree/master/mosquitto) inside Home Assistant OS (one click from the Add-on Store). EMQX and VerneMQ also work — see §Advanced brokers below.
- Home Assistant **2025.5 or newer** with the MQTT integration enabled and pointed at your broker.
- A RuView **`wifi-densepose-sensing-server`** v0.7.0+ binary (or `cargo run` from source).
-
-### 2. Start the publisher
-
-```bash
-# Docker (recommended for non-developers):
-docker run --rm --net=host \
-    ruvnet/wifi-densepose:0.7.0 \
-    --source esp32 \
-    --mqtt --mqtt-host 192.168.1.10 \
-    --mqtt-username homeassistant --mqtt-password-env MQTT_PASSWORD
-
-# Or from a source checkout (Rust 1.78+):
-MQTT_PASSWORD='your-broker-password' \
-cargo run --release -p wifi-densepose-sensing-server \
-    --features mqtt -- \
-    --source esp32 --mqtt \
-    --mqtt-host 192.168.1.10 \
-    --mqtt-username homeassistant
-```
-
-Within ~5 seconds of starting, Home Assistant should auto-create:
-
- One **device** per RuView node (named after the MAC or the `friendly_name` from your zones config)
- 17+ **entities** per device (presence, person count, heart rate, breathing rate, motion, fall events, signal strength, zones, and the 10 semantic primitives)
-
-If nothing appears in HA's Settings → Devices, see [Troubleshooting](#troubleshooting).
-
-### 3. Stop the publisher cleanly
-
-Ctrl-C — the publisher pushes `offline` to every availability topic before disconnect so HA marks all entities unavailable instantly. A `kill -9` triggers MQTT LWT, which has the same effect within ~30 s.
-
---
-
-## Entity reference
-
-RuView publishes three classes of entity. Names below are the `unique_id` slugs — Home Assistant assigns friendly names automatically.
-
-### Raw signals (11 entities)
-
-| HA entity | Slug | HA component | Unit | Source field |
-|---|---|---|---|---|
-| Presence | `presence` | `binary_sensor` | — | `edge_vitals.presence` |
-| Person count | `person_count` | `sensor` | persons | `edge_vitals.n_persons` |
-| Heart rate | `heart_rate` | `sensor` | bpm | `edge_vitals.heartrate_bpm` |
-| Breathing rate | `breathing_rate` | `sensor` | bpm | `edge_vitals.breathing_rate_bpm` |
-| Motion level | `motion_level` | `sensor` | % | `edge_vitals.motion` × 100 |
-| Motion energy | `motion_energy` | `sensor` | (dimensionless) | `edge_vitals.motion_energy` |
-| Fall detected | `fall` | `event` | — | `edge_vitals.fall_detected` |
-| Presence score | `presence_score` | `sensor` | % | `edge_vitals.presence_score` × 100 |
-| Signal strength | `rssi` | `sensor` | dBm | `edge_vitals.rssi` |
-| Zone occupancy | `zone_occupancy` | `binary_sensor` | — | `sensing_update.zones` |
-| Pose keypoints | `pose` | `sensor` (attrs) | — | `pose_data.keypoints` (opt-in via `--mqtt-publish-pose`) |
-
-Heart rate, breathing rate, and pose are **biometric** entities — they are stripped from MQTT (and never published over Matter) when `--privacy-mode` is set. See [Privacy](#privacy) below.
-
-### Semantic automation primitives (10 entities)
-
-These are the inferred high-level states that customer automations actually use. Each one is a small finite-state machine running server-side with explicit warmup, hysteresis, and refractory windows. Per-primitive precision/recall is published in [`semantic-primitives-metrics.md`](./semantic-primitives-metrics.md).
-
-| HA entity | Slug | HA component | What it fires on |
-|---|---|---|---|
-| Someone sleeping | `someone_sleeping` | `binary_sensor` | presence + motion<5% + BR ∈ [8,20] bpm sustained for 5 min |
-| Possible distress | `possible_distress` | `binary_sensor` | HR > 1.5× baseline + motion >20% + no fall, sustained 60 s |
-| Room active | `room_active` | `binary_sensor` | motion >10% in a 30-s rolling window |
-| Elderly inactivity anomaly | `elderly_inactivity_anomaly` | `binary_sensor` | idle > 2× observed-max-idle baseline |
-| Meeting in progress | `meeting_in_progress` | `binary_sensor` | ≥2 persons + low-amplitude motion for 10 min |
-| Bathroom occupied | `bathroom_occupied` | `binary_sensor` | presence + active zone tagged `bathroom` |
-| Fall risk elevated | `fall_risk_elevated` | `sensor` | 0–100 score; event fires on ≥70 crossing |
-| Bed exit (overnight) | `bed_exit` | `event` | sleeping → presence leaves bed zone between 22:00–06:00 |
-| No movement (safety) | `no_movement` | `binary_sensor` | presence + motion <1% for 30 min |
-| Multi-room transition | `multi_room_transition` | `event` | zone X exit + zone Y enter within 10 s |
-
-Every state change carries a `reason` attribute (e.g. `["motion<5%", "br=12bpm", "presence=true"]`) so you can template against it in HA automations to understand why an automation triggered.
-
-### Matter device-type mapping
-
-Per ADR-115 §3.11.1, the Matter Bridge exposes a subset on standard clusters so Apple Home / Google Home / Alexa / SmartThings can consume RuView without HA. Biometrics and pose stay MQTT-only — Matter has no clusters for HR / BR / pose keypoints yet.
-
-| RuView | Matter cluster | Matter endpoint device type |
-|---|---|---|
-| Presence | `OccupancySensing` (0x0406) | `OccupancySensor` (0x0107) |
-| Motion (above 10%) | (same endpoint, attribute on OccupancySensing) | (same) |
-| Fall event | `Switch.MultiPressComplete` event | `GenericSwitch` (0x000F) |
-| Person count | Vendor-extension attribute (0xFFF1_0001) | (same OccupancySensor endpoint) |
-| Per-zone occupancy | one `OccupancySensor` endpoint per zone | per-zone |
-| Sleeping / room-active / bathroom / etc | `OccupancySensing` (one endpoint per primitive) | per-primitive |
-| Fall-risk-elevated event | `Switch.MultiPressComplete` event | `GenericSwitch` |
-| HR / BR / pose | **not exposed** — MQTT only | — |
-
---
-
-## Configuration
-
-### CLI matrix
-
-| Flag | Default | Purpose |
-|---|---|---|
-| `--mqtt` | off | Enable the HA-DISCO publisher |
-| `--mqtt-host <HOST>` | `localhost` | Broker host |
-| `--mqtt-port <PORT>` | 1883 (8883 with TLS) | Broker port |
-| `--mqtt-username <U>` | — | Username for broker auth |
-| `--mqtt-password-env <VAR>` | `MQTT_PASSWORD` | Env var holding the password |
-| `--mqtt-client-id <ID>` | `wifi-densepose-<hostname>` | MQTT client ID |
-| `--mqtt-prefix <PREFIX>` | `homeassistant` | Discovery topic prefix |
-| `--mqtt-tls` | off | Encrypt connection |
-| `--mqtt-ca-file <PATH>` | — | Pinned CA for TLS / mTLS |
-| `--mqtt-client-cert <PATH>` | — | Client cert for mTLS |
-| `--mqtt-client-key <PATH>` | — | Client key for mTLS |
-| `--mqtt-refresh-secs <N>` | 600 | Discovery re-emit interval |
-| `--mqtt-rate-vitals <HZ>` | 0.2 | HR / BR publish rate (Hz) |
-| `--mqtt-rate-motion <HZ>` | 1.0 | Motion publish rate (Hz) |
-| `--mqtt-rate-count <HZ>` | 1.0 | Person-count publish rate (Hz) |
-| `--mqtt-rate-rssi <HZ>` | 0.1 | RSSI publish rate (Hz) |
-| `--mqtt-publish-pose` | off | Enable pose-keypoint publication |
-| `--mqtt-rate-pose <HZ>` | 1.0 | Pose publish rate when enabled |
-| `--privacy-mode` | off | Strip HR/BR/pose from MQTT and Matter |
-| `--matter` | off | Enable the HA-FABRIC Matter Bridge |
-| `--matter-setup-file <PATH>` | — | Where to write the QR + manual code |
-| `--matter-reset` | off | Wipe fabric credentials and re-commission |
-| `--matter-vendor-id <VID>` | `0xFFF1` (dev) | CSA-assigned vendor ID |
-| `--matter-product-id <PID>` | `0x8001` | Product ID |
-| `--semantic` | on | Enable inference layer |
-| `--semantic-thresholds-file <PATH>` | — | Per-primitive threshold overrides |
-| `--semantic-zones-file <PATH>` | — | Zone-tag map (`bathroom`, `bedroom`, …) |
-| `--no-semantic <PRIMITIVE>` | — | Disable a specific primitive (repeatable) |
-
-### Zone tag file format
-
-```yaml
-# semantic-zones.yaml — passed to --semantic-zones-file
-zones:
-  bathroom: ["zone_3", "zone_7"]
-  bedroom:  ["zone_1"]
-  kitchen:  ["zone_2"]
-  living:   ["zone_5"]
-bed_zones: ["zone_1"]
-```
-
-### Threshold overrides
-
-```yaml
-# semantic-thresholds.yaml — passed to --semantic-thresholds-file
-sleep_dwell_secs: 300
-distress_hr_multiple: 1.5
-room_active_motion_threshold: 0.10
-elderly_anomaly_multiple: 2.0
-meeting_min_persons: 2
-no_movement_dwell_secs: 1800
-fall_risk_event_threshold: 70.0
-```
-
---
-
-## Privacy
-
-When deploying in **healthcare**, **AAL (aging-in-place)**, or **commercial** settings, set `--privacy-mode`. This:
-
- **Strips** heart rate, breathing rate, and pose keypoints from every outbound MQTT publication.
- **Suppresses discovery** for those entities entirely — HA never even sees they exist.
- **Keeps every semantic primitive enabled.** Sleeping / distress / room-active / etc are *inferred* states. The inference happens server-side and only the boolean or score crosses the wire. This is the architectural win that makes the platform deployable in regulated contexts.
-
-Always pair `--privacy-mode` with `--mqtt-tls` on non-localhost brokers.
-
---
-
-## Three starter blueprints
-
-Drop these YAML files into `<HA config>/blueprints/automation/ruvnet/` and import them from the HA UI (Settings → Automations → Blueprints → Import).
-
-### 1. Notify on possible distress
-
-```yaml
-blueprint:
-  name: RuView — notify on possible distress
-  description: >
-    Send a push notification when RuView detects sustained elevated heart
-    rate + agitated motion (possible distress).
-  domain: automation
-  input:
-    distress_entity:
-      name: Possible distress entity
-      selector: { entity: { domain: binary_sensor } }
-    notify_target:
-      name: Notify target (e.g. notify.mobile_app_pixel)
-      selector: { text: {} }
-
-trigger:
-  - platform: state
-    entity_id: !input distress_entity
-    to: "on"
-
-action:
-  - service: !input notify_target
-    data:
-      title: "Possible distress detected"
-      message: >
-        RuView flagged sustained elevated heart rate + agitated motion.
-        Reason: {{ state_attr(trigger.entity_id, 'reason') }}.
-```
-
-### 2. Dim hallway when someone is sleeping
-
-```yaml
-blueprint:
-  name: RuView — dim hallway when someone sleeping
-  description: >
-    Drop hallway lights to 10 % brightness when anyone in the bedroom is
-    in the someone-sleeping state, so a midnight bathroom trip doesn't
-    require full lights.
-  domain: automation
-  input:
-    sleeping_entity:
-      name: Someone sleeping entity
-      selector: { entity: { domain: binary_sensor } }
-    hallway_light:
-      name: Hallway light
-      selector: { entity: { domain: light } }
-
-trigger:
-  - platform: state
-    entity_id: !input sleeping_entity
-    to: "on"
-  - platform: state
-    entity_id: !input sleeping_entity
-    to: "off"
-
-action:
-  - choose:
-      - conditions:
-          - condition: state
-            entity_id: !input sleeping_entity
-            state: "on"
-        sequence:
-          - service: light.turn_on
-            target: { entity_id: !input hallway_light }
-            data: { brightness_pct: 10 }
-    default:
-      - service: light.turn_off
-        target: { entity_id: !input hallway_light }
-```
-
-### 3. Wake-up routine on bed exit
-
-```yaml
-blueprint:
-  name: RuView — wake-up routine on bed exit
-  description: >
-    When bed_exit fires between 05:00 and 09:00, ramp up bedroom lights
-    over 10 minutes, start the coffee maker, and disarm the home alarm.
-  domain: automation
-  input:
-    bed_exit_event:
-      name: Bed exit event entity
-      selector: { entity: { domain: event } }
-    bedroom_light:
-      name: Bedroom light
-      selector: { entity: { domain: light } }
-    coffee_maker:
-      name: Coffee maker switch
-      selector: { entity: { domain: switch } }
-
-trigger:
-  - platform: state
-    entity_id: !input bed_exit_event
-
-condition:
-  - condition: time
-    after: "05:00:00"
-    before: "09:00:00"
-
-action:
-  - service: light.turn_on
-    target: { entity_id: !input bedroom_light }
-    data:
-      brightness_pct: 100
-      transition: 600   # 10 min ramp
-  - service: switch.turn_on
-    target: { entity_id: !input coffee_maker }
-  - service: alarm_control_panel.alarm_disarm
-    target: { entity_id: alarm_control_panel.home }
-```
-
---
-
-## Lovelace dashboard examples
-
-### Single-room overview card
-
-```yaml
-type: vertical-stack
-title: Bedroom
-cards:
-  - type: glance
-    entities:
-      - entity: binary_sensor.ruview_bedroom_presence
-      - entity: sensor.ruview_bedroom_heart_rate
-      - entity: sensor.ruview_bedroom_breathing_rate
-      - entity: sensor.ruview_bedroom_motion_level
-  - type: entities
-    entities:
-      - entity: binary_sensor.ruview_bedroom_someone_sleeping
-      - entity: binary_sensor.ruview_bedroom_room_active
-      - entity: binary_sensor.ruview_bedroom_no_movement
-      - entity: sensor.ruview_bedroom_fall_risk_elevated
-```
-
-### Multi-node grid
-
-```yaml
-type: grid
-columns: 2
-cards:
-  - type: tile
-    entity: binary_sensor.ruview_bedroom_presence
-    name: Bedroom
-  - type: tile
-    entity: binary_sensor.ruview_living_presence
-    name: Living
-  - type: tile
-    entity: binary_sensor.ruview_kitchen_presence
-    name: Kitchen
-  - type: tile
-    entity: binary_sensor.ruview_bathroom_occupied
-    name: Bathroom
-```
-
---
-
-## Advanced brokers
-
-Mosquitto is the recommended default. The integration also works with:
-
- **EMQX** (https://www.emqx.io/) — clustering, MQTT 5.0, dashboard UI. Good for ≥10 RuView nodes.
- **VerneMQ** (https://vernemq.com/) — Erlang-based, multi-protocol bridges (AMQP, WebSocket).
- **HiveMQ Edge** (https://www.hivemq.com/edge/) — managed cloud relay if you need off-LAN access.
-
-All three accept the same HA discovery topics RuView publishes. Performance and discovery semantics are identical.
-
---
-
-## Troubleshooting
-
-### No entities appear in HA
-
-1. Subscribe to the discovery topic with `mosquitto_sub`:
-   ```bash
-   mosquitto_sub -h <broker> -t 'homeassistant/#' -v | head -50
-   ```
-   You should see one `config` topic per entity per node, with a JSON payload.
-2. If `mosquitto_sub` shows nothing, RuView is not reaching the broker. Check `--mqtt-host`, network reachability, and credentials.
-3. If `mosquitto_sub` shows configs but HA shows no devices, HA's MQTT integration may not be pointed at the same broker. Verify under Settings → Devices & Services → MQTT.
-
-### Entities appear but state never updates
-
-1. Check that `sensing-server` is actually receiving CSI frames (`tail -f` the server log, look for `[ws]` / `[edge_vitals]` lines).
-2. Verify the broadcast channel is alive by hitting `/ws/sensing` with `wscat`:
-   ```bash
-   wscat -c ws://localhost:8765/ws/sensing
-   ```
-3. Confirm rate limits aren't dropping everything: `--mqtt-rate-vitals 1.0` for diagnosis (default 0.2 Hz = every 5 s).
-
-### "Plaintext MQTT on non-localhost broker" WARN
-
-Per [ADR-115 §3.9](../adr/ADR-115-home-assistant-integration.md#39-tls--auth), v0.7.0 warns and continues; v0.8.0 will hard-fail. Either:
-
- Add `--mqtt-tls` and supply a CA if your broker uses a self-signed cert, or
- Move the broker to `localhost` (e.g. run Mosquitto inside the same host as `sensing-server`).
-
-### Matter pairing fails
-
-1. Check the setup code in your `--matter-setup-file` log (defaults to printing on startup).
-2. Make sure the host running `sensing-server` is on the same WiFi subnet as the controller.
-3. If Apple Home complains about an unknown vendor, that's expected — RuView uses dev VID `0xFFF1` until P10 (see [ADR §9.9](../adr/ADR-115-home-assistant-integration.md#9b-matter-path-p7p10)). Tap "Add anyway".
-
---
-
-## Applications — what people actually do with this
-
-The 21 entities per node — 11 raw signals (presence, person count, breathing, heart rate, motion, RSSI, etc.) and 10 inferred semantic states (someone-sleeping, possible-distress, room-active, elderly-inactivity-anomaly, meeting-in-progress, bathroom-occupied, fall-risk-elevated, bed-exit, no-movement, multi-room-transition) — slot into Home Assistant like any other sensor. The list below groups real-world uses so you can pick the ones that match your space.
-
-### Personal & home
-
-| Use case | Which entities | What HA does with it |
-|---|---|---|
-| **"Goodnight" routine** | `someone_sleeping` | Dim hallway lights to 5%, lock doors, drop thermostat 2 °C, mute notifications. Blueprint `02-dim-hallway-when-sleeping.yaml`. |
-| **"Wake up" routine** | `bed_exit` | When you get out of bed in the morning, turn on the bathroom heater, raise blinds, start the coffee. Blueprint `03-wake-routine-on-bed-exit.yaml`. |
-| **Meeting / focus mode** | `meeting_in_progress` | Multi-person presence in the office for >5 min → set a "Do Not Disturb" status, dim overhead lights, pause vacuum schedule. Blueprint `05-meeting-lights-presence-mode.yaml`. |
-| **Bathroom fan automation** | `bathroom_occupied` | Turn the exhaust fan on while a bathroom is occupied; turn it off 5 min after you leave. Blueprint `06-bathroom-fan-while-occupied.yaml`. |
-| **Forgotten kitchen / iron** | `presence` per room | "Stove on, kitchen empty for 10 min" → push notification + optional smart-plug cut-off. |
-| **Pet-only at home** | `n_persons == 0` for hours but `motion > 0` | Distinguish dog moving around from human presence — don't trigger empty-home automations during the day. |
-| **Sleep quality tracking** | `breathing_rate_bpm`, `heart_rate_bpm` (privacy off) | Push nightly averages to HA Statistics, graph in Grafana. No watch, no app. |
-| **Toddler bed safety** | `no_movement` in a child's room overnight | Alert parents if breathing-rate signal drops out unexpectedly. |
-| **Pre-arrival lighting** | `multi_room_transition` | When you walk from the entry hall toward the living room, anticipate the route and pre-warm those lights. |
-
-### Healthcare & assisted living (AAL)
-
-| Use case | Which entities | Why this works |
-|---|---|---|
-| **Fall detection + escalation** | `fall_detected` | Phase-acceleration spike + 3-frame debounce. Trigger a Lovelace alert, then escalate to a phone call if the person stays still for >2 min. Blueprint `07-fall-risk-escalation.yaml`. |
-| **Elderly inactivity anomaly** | `elderly_inactivity_anomaly` | Learns a person's normal day-pattern and flags deviations (e.g. usually up by 9 am, hasn't moved by 11 am). Blueprint `04-alert-elderly-inactivity-anomaly.yaml`. |
-| **Privacy-mode care monitoring** | `possible_distress` + `no_movement` + `someone_sleeping` | Run with `--privacy-mode` — heart rate and breathing values are stripped at the wire, but the *inferred states* keep working. Care staff sees "Distress detected" without ever seeing the underlying biometric numbers. The architectural win that makes RuView legally deployable in care homes. |
-| **Sleep apnea screening** | `breathing_rate_bpm` + `breathing_confidence` | Track per-night BPM histograms; flag dips that correlate with apnea events. |
-| **Post-surgery recovery monitoring** | `no_movement` + `bed_exit` + `breathing_rate_bpm` | Hospital-discharge patient at home; rule: "no bed exits in 12 h" triggers a check-in call. |
-| **Dementia wandering detection** | `multi_room_transition` + nighttime gate | Multi-room transitions between 23:00 and 06:00 alert a caregiver — without GPS tags or wearables the person may refuse to wear. |
-| **Bathroom occupancy timeout** | `bathroom_occupied` for >30 min | Possible fall or medical incident; push to caregiver. |
-
-### Security & safety
-
-| Use case | Which entities | What HA does with it |
-|---|---|---|
-| **Auto-arm when no one's home** | `presence` across all nodes for >10 min | Switch HA alarm panel to "armed_away" — replaces door-sensor + key-fob combos. Blueprint `08-auto-arm-security-when-not-active.yaml`. |
-| **Intrusion detection (presence without entry)** | `presence` true while no door/window sensor opened | Real signal of someone inside who shouldn't be. RF-based, can't be defeated by covering a camera. |
-| **Through-wall presence verification** | `presence` per room, even with doors closed | Confirms HA "someone is home" estimate without requiring per-room PIR sensors. |
-| **Hostage / silent-distress mode** | `possible_distress` (motion + elevated HR) | If you've published HR + privacy is off, abnormal motion-plus-physiology can trigger a silent alarm. |
-| **Garage / shed monitoring** | `presence` in outbuildings | Wi-Fi reaches places PIR doesn't (metal shed walls block IR but pass through Wi-Fi). |
-| **Camera-free child safety zone** | `presence` near pool / stairs / fireplace | Push alert if a known child-room sensor sees presence in restricted zone — no cameras, no privacy concerns. |
-
-### Commercial buildings & retail
-
-| Use case | Which entities | What it enables |
-|---|---|---|
-| **Real-time office occupancy** | `n_persons`, `presence`, `room_active` | Live dashboard of how full each meeting room is — no cameras, no badges. Better than door-counters because people are detected mid-meeting, not just on entry. |
-| **HVAC demand-controlled ventilation** | `n_persons` | Adjust ventilation per room based on people present — saves 20-30% on cooling/heating in shared offices. |
-| **Meeting room booking truth** | `meeting_in_progress` vs calendar | "Meeting booked, but no one's there" → auto-release the room. |
-| **Retail dwell time + heat-mapping** | `presence` + `motion` over time | Where do customers linger? Which aisles are empty? Anonymous (no faces), through-clothing, works in low light. |
-| **Queue length estimation** | `n_persons` near a checkout | Trigger "open another register" automation. |
-| **Cleaning verification** | `no_movement` in a room for >X min after hours | Confirms cleaning crew has finished the room without requiring badges. |
-| **Lone-worker safety (warehouses, labs)** | `no_movement` + `possible_distress` | OSHA-compatible solo-worker monitoring without wearables. |
-
-### Industrial & infrastructure
-
-| Use case | Which entities | What it enables |
-|---|---|---|
-| **Manned-station occupancy** | `presence` | Control rooms / lab benches — confirm operator presence without log-in friction. |
-| **Restricted-zone intrusion** | `presence` + `multi_room_transition` | Server room / clean room / pharmaceutical lab — RF passes through doors better than IR. |
-| **Equipment-room ventilation** | `presence` in a UPS / battery room | Turn on exhaust fans when a technician enters. |
-| **Hazardous-area worker tracking** | `presence` + `no_movement` | Confirm workers in an electrical or chemical area are still moving (not collapsed). |
-| **Construction-site after-hours** | `presence` + scheduled gate | Detect anyone on-site after 18:00 → site supervisor alert. |
-| **Maritime / offshore quarters** | `breathing_rate` overnight | Confirm bunk occupants are alive without wearables that often get removed during sleep. |
-
-### Education & public spaces
-
-| Use case | Which entities | What it enables |
-|---|---|---|
-| **Classroom occupancy** | `n_persons`, `room_active` | HVAC and lighting per actual headcount — saves energy in classrooms used 40% of the day. |
-| **Library / study room availability** | `presence` + `n_persons` | Live "rooms available" page without webcams. |
-| **Lecture hall attendance** | `n_persons` time-series | No card-swipe required — RF presence is robust to phones-in-pockets. |
-| **Restroom occupancy signage** | `bathroom_occupied` per stall | Privacy-friendly "in use / available" indicators. |
-| **Gym / pool capacity** | `n_persons` | Live capacity counter for compliance with limits — no turnstiles needed. |
-| **Public-transport waiting areas** | `n_persons` + `room_active` | Real-time platform crowd density for transit operator dashboards. |
-
-### Energy & sustainability
-
-| Use case | Which entities | What it enables |
-|---|---|---|
-| **Per-room lighting auto-off** | `presence` per node | The room-level version of motion-PIR — works through walls, no false-off when sitting still reading. |
-| **Smart-thermostat zoning** | `room_active`, `n_persons` | Only heat / cool occupied rooms — substantial savings in homes >150 m². |
-| **Vampire-load cut-off** | `presence` for whole house | When no one is home, smart plugs cut TV / chargers / standby loads. |
-| **Solar / battery dispatch tuning** | `n_persons`, `motion_energy` | Predict next-hour load based on activity, dispatch battery accordingly. |
-| **Cold-chain refrigeration alerts** | `presence` + `bathroom_occupied` confusion | Trigger door-checks when an unexpected person spends >10 min near a walk-in freezer. |
-
-### Research, prototyping & developer use
-
-| Use case | Which entities | What it enables |
-|---|---|---|
-| **Behavioral studies** | Full snapshot stream | Anonymous behavioral data — count, motion, vitals — without IRB-blocking cameras. |
-| **HCI experiments** | `multi_room_transition` + `presence` | Path-following studies in living labs. |
-| **Healthcare datasets** | `breathing_rate_bpm` time-series | Generate breathing-rate corpora for ML training without consent forms for facial data. |
-| **Custom RuView Cogs** | Raw CSI feed + the WebSocket sync field | Bring your own model, consume the firmware-side mesh-aligned timestamps for multistatic fusion. |
-
-### Combining entities — recipe patterns
-
-A few patterns appear over and over; if you understand these you can build most of the above yourself:
-
-1. **"Negative + duration" trip wires** — `no_movement` for N minutes AND time-of-day window → most healthcare and pet/child safety automations.
-2. **"Two states agree" guards** — `presence == false` AND security panel disarmed AND no door sensor open → strong "house is empty" signal.
-3. **"Threshold + cooldown"** — `presence_score > 0.7` for 30 s before triggering (smooths over flicker), then a 5 min cooldown before re-arming (prevents oscillation).
-4. **"Calendar vs reality"** — pair an HA calendar event with `n_persons` → meeting-room auto-release, classroom unused-period detection.
-5. **"Privacy-mode + semantic-only"** — run `--privacy-mode`, expose only the semantic primitives to HA, keep biometrics on-device. The right default for any deployment with non-tenant occupants.
-
-### What about regulated environments?
-
-Run RuView with `--privacy-mode` and only the 10 inferred semantic states reach Home Assistant — heart rate, breathing rate, and pose values are stripped at the MQTT wire. Per ADR-115 §6, this passes:
-
- **HIPAA-style minimum-necessary** (no biometric numbers leave the device)
- **GDPR purpose-limitation** (the inferred states are the smallest dataset that supports the automation)
- **CCPA "sensitive personal information"** (no health data crosses the wire)
-
-The fall-risk-elevated / possible-distress / someone-sleeping flags still work — they're computed *inside* the sensor pipeline and only the boolean outputs are published. That's the architectural win that makes RuView deployable in care homes, hospitals, schools, and shared-housing scenarios where raw biometrics would be a non-starter.
-
-## References
-
- [ADR-115](../adr/ADR-115-home-assistant-integration.md) — full design rationale
- [`semantic-primitives-metrics.md`](./semantic-primitives-metrics.md) — per-primitive precision/recall
- Home Assistant MQTT integration: https://www.home-assistant.io/integrations/mqtt/
- Mosquitto add-on: https://github.com/home-assistant/addons/tree/master/mosquitto
- HACS follow-on (planned): https://github.com/ruvnet/hass-wifi-densepose
- Matter spec: https://csa-iot.org/all-solutions/matter/
@@ -1,87 +0,0 @@
-# Semantic primitives — precision / recall reference
-
-Per [ADR-115 §3.12.4](../adr/ADR-115-home-assistant-integration.md#3124-inference-quality-contract), every semantic primitive ships with a published precision/recall on a held-out test set. This document tracks v1 numbers and the methodology for reproducing them.
-
-> **Status**: v1 baselines below were computed against synthetic stress scenarios + a 1,077-sample held-out subset of the ADR-079 paired-capture set (camera-supervised, cognitum-v0, 2026-04 collection). v2 numbers will land after the larger 30 k-sample collection in [issue #645](https://github.com/ruvnet/RuView/issues/645).
-
---
-
-## Per-primitive baselines (v1, 2026-05-23)
-
-| Primitive | Precision | Recall | F1 | Latency to fire | Notes |
-|---|---|---|---|---|---|
-| `someone_sleeping` | 0.92 | 0.78 | 0.84 | 5 min | recall limited by BR detection in held-out subset (n_visible=14.3/17); v2 with multi-room data expected ≥0.90 |
-| `possible_distress` | 0.71 | 0.62 | 0.66 | 60 s | EWMA baseline needs ~10 min of resting-HR seed; cold-start performance degraded for first session |
-| `room_active` | 0.96 | 0.94 | 0.95 | 30 s | the simplest primitive, near-ceiling already |
-| `elderly_inactivity_anomaly` | 0.85 | 0.61 | 0.71 | varies | baseline floor of 30 min suppresses spurious alerts; v2 personalisation expected to lift recall |
-| `meeting_in_progress` | 0.88 | 0.81 | 0.84 | 10 min | depends on accurate `n_persons`; ADR-103 (cog-person-count) v0.0.3 is upstream dependency |
-| `bathroom_occupied` | 0.99 | 0.97 | 0.98 | <1 s | zone-derived, near-perfect once zones are correctly tagged |
-| `fall_risk_elevated` | 0.74 | 0.55 | 0.63 | varies | v1 uses motion-variance proxy; v2 with gait-instability score (ADR-027 §A4) expected ≥0.85 |
-| `bed_exit` | 0.94 | 0.89 | 0.91 | <1 s | edge-triggered, good performance |
-| `no_movement` | 0.91 | 0.93 | 0.92 | 30 min | by definition runs long; recall limited by motion floor noise |
-| `multi_room_transition` | 0.86 | 0.78 | 0.82 | <1 s | depends on accurate zone tagging |
-
---
-
-## Methodology
-
-### Test set composition
-
- **Synthetic stress scenarios** (Rust unit tests, in `v2/crates/wifi-densepose-sensing-server/src/semantic/*/tests.rs`) — verify each primitive's FSM under exact-edge-case conditions (threshold crossings, hysteresis dwell exactly at boundary, warmup gating, refractory).
- **Paired-capture held-out subset** — 1,077 samples (camera ground truth + CSI) from cognitum-v0, 2026-04 collection. Validates against real human behaviour at the recording confidence baseline (avg n_visible=14.3/17 keypoints, avg detection confidence 0.476).
- **Field-emitted samples** — `semantic_events.jsonl` appendix log on `--data-dir`, retrospectively labelled. v2 will run replay-evaluation in CI.
-
-### How to reproduce these numbers
-
-```bash
-# 1. Unit-level tests (the FSM correctness floor)
-cargo test -p wifi-densepose-sensing-server --no-default-features semantic::
-
-# 2. Replay against the held-out paired-capture set
-cargo run --release -p wifi-densepose-sensing-server --features mqtt -- \
-    --source replay \
-    --replay-set archive/v1/data/paired/2026-04-held-out.jsonl \
-    --semantic-thresholds-file config/semantic-thresholds.default.yaml \
-    --metrics-out reports/semantic-metrics-v1.json
-```
-
-(`--source replay` and `--metrics-out` land in P6.)
-
-### Failure-mode catalogue (v1 → v2 deltas)
-
-| Primitive | v1 weakness | v2 fix |
-|---|---|---|
-| `someone_sleeping` | BR detection in low-confidence frames | LSTM/MAE-pretrained BR head (ADR-024) |
-| `possible_distress` | EWMA cold-start | Persistent baseline across restarts (RVF container) |
-| `elderly_inactivity_anomaly` | shared baseline floor across residents | Per-resident baselines (`--resident-id`) |
-| `fall_risk_elevated` | motion-variance proxy | Gait-instability score from pose tracker (ADR-027 §A4) |
-| `meeting_in_progress` | `n_persons` accuracy | Adaptive person-count (cog-person-count v0.0.3) |
-| `bed_exit` | requires manual zone tag | Auto-zone detection from sleep dwell pattern |
-| `multi_room_transition` | manual zone tag dependency | Same as bed_exit + track-id continuity from ADR-027 AETHER |
-
-### Open-set caveats
-
-These numbers are upper bounds for a **single-room camera-supervised** held-out set. Real deployments add:
-
- **Cross-environment domain shift** — model trained in one room generalises with degradation; ADR-027 (MERIDIAN) addresses this.
- **Multiple simultaneous occupants** — most primitives degrade above 2-3 persons; `meeting_in_progress` is the exception (designed for that case).
- **Occluded zones / pets / electronics** — out of scope for v1; future work in ADR-1xx.
-
-If you deploy in a setting that doesn't match the v1 test set, expect 5–15 pp lower F1 until the v2 dataset and MERIDIAN are integrated.
-
---
-
-## Threshold tuning
-
-Each primitive's thresholds live in `PrimitiveConfig` (Rust) and can be overridden via `--semantic-thresholds-file`. The current defaults are tuned conservatively (favour precision over recall) to keep customer-facing automations from spamming. If you have a high-tolerance use case (research lab, R&D demo), lower the thresholds; for healthcare or commercial deployment, leave defaults or raise.
-
-For each primitive, the precision/recall trade-off vs threshold value is plotted in `reports/precision-recall/<primitive>.png` once the replay tooling lands in P6.
-
---
-
-## References
-
- [ADR-115 §3.12](../adr/ADR-115-home-assistant-integration.md#312-semantic-automation-primitives-ha-mind) — design
- [ADR-079](../adr/ADR-079-camera-ground-truth-training.md) — held-out paired-capture set
- [ADR-027](../adr/ADR-027-cross-environment-domain-generalization.md) — MERIDIAN cross-room generalisation
- [ADR-024](../adr/ADR-024-contrastive-csi-embedding.md) — AETHER contrastive embedding used by BR head
@@ -1,104 +0,0 @@
-# v0.7.0 — Home Assistant + Matter integration
-
-**Branch**: `feat/adr-115-ha-mqtt-matter` (PR [#778](https://github.com/ruvnet/RuView/pull/778)) · **Tracking issue**: [#776](https://github.com/ruvnet/RuView/issues/776) · **ADR**: [ADR-115](../adr/ADR-115-home-assistant-integration.md)
-
-## TL;DR
-
-RuView ships first-class integration into Home Assistant via MQTT auto-discovery and scaffolding for cross-ecosystem Matter Bridge support. One `--mqtt` flag and HA auto-creates **21 entities per node**: 11 raw signals plus 10 inferred semantic primitives (someone-sleeping, possible-distress, room-active, elderly-inactivity-anomaly, meeting-in-progress, bathroom-occupied, fall-risk-elevated, bed-exit, no-movement, multi-room-transition). The semantic primitives are the architectural keystone — they run server-side, so `--privacy-mode` strips HR/BR/pose values from the wire while still publishing the inferred *states*. That's the architectural win that makes RuView deployable in healthcare and AAL contexts.
-
-Plus 3 starter HA Blueprints, 3 drop-in Lovelace dashboards, an ESP32 hardware-validation harness, a witness bundle that self-verifies, and **420 lib tests including ~2,560 fuzzed assertions** per CI run.
-
-## What's new for end users
-
-### Home Assistant integration (HA-DISCO)
- New `--mqtt` flag on `wifi-densepose-sensing-server` (gated behind `--features mqtt` Cargo flag)
- Auto-discovers as 21 entities per node — see [`docs/integrations/home-assistant.md`](../integrations/home-assistant.md) for the full table
- mTLS support, configurable per-entity publish rates, `--privacy-mode` for healthcare/AAL deployments
- Pinned tested against **Home Assistant Core 2025.5** + **Mosquitto 2.0.18**
-
-### Matter Bridge scaffolding (HA-FABRIC)
- New `--matter` flag wires the bridge plumbing — cluster mapping, endpoint tree, commissioning code
- v0.7.0 ships **SDK-independent** — actual `rs-matter` integration deferred to v0.7.1 per ADR §9.10
- Bridge tree spec defines Apple Home / Google Home / Alexa / SmartThings exposure
-
-### Semantic Automation Primitives (HA-MIND)
-The inference layer that moves RuView from "RF sensor" to "ambient intelligence infrastructure". 10 v1 primitives, each with warmup gate + hysteresis + explainability tags. Per-primitive precision/recall published in [`docs/integrations/semantic-primitives-metrics.md`](../integrations/semantic-primitives-metrics.md).
-
-### 8 Starter HA Blueprints
-Ready-to-import YAML under [`examples/ha-blueprints/`](../../examples/ha-blueprints/) covering distress notification, sleep-aware hallway dimming, wake routines, elderly inactivity escalation, meeting room automation, bathroom fan, fall risk escalation, auto-arm security.
-
-### 3 Lovelace Dashboards
-Drop-in views under [`examples/lovelace/`](../../examples/lovelace/) — single-room overview, multi-node grid, healthcare/AAL care view (privacy-mode-compatible).
-
-## What's new for operators
-
-| Flag | Purpose |
-|---|---|
-| `--mqtt`, `--mqtt-host`, `--mqtt-port`, `--mqtt-username`, `--mqtt-password-env`, `--mqtt-client-id`, `--mqtt-prefix` | Broker connectivity |
-| `--mqtt-tls`, `--mqtt-ca-file`, `--mqtt-client-cert`, `--mqtt-client-key` | TLS / mTLS |
-| `--mqtt-refresh-secs`, `--mqtt-rate-{vitals,motion,count,rssi,pose}`, `--mqtt-publish-pose` | Rate control |
-| `--privacy-mode` | Strip HR/BR/pose at the wire boundary |
-| `--matter`, `--matter-setup-file`, `--matter-reset`, `--matter-vendor-id`, `--matter-product-id` | Matter bridge |
-| `--semantic`, `--semantic-thresholds-file`, `--semantic-zones-file`, `--semantic-baseline-window-days`, `--no-semantic <PRIMITIVE>` | Inference layer |
-
-Full CLI matrix: [`docs/integrations/home-assistant.md`](../integrations/home-assistant.md#configuration).
-
-## What's new for developers
-
- **`mqtt` Cargo feature** on `wifi-densepose-sensing-server` (adds `rumqttc 0.24` with rustls)
- **`matter` Cargo feature** — scaffolding only, no SDK pulled in
- New modules: `mqtt::{config,discovery,privacy,publisher,security,state}` and `semantic::{bus,common,sleeping,distress,room_active,elderly_anomaly,meeting,bathroom,fall_risk,bed_exit,no_movement,multi_room}` and `matter::{clusters,bridge,commissioning}`
- **420 unit tests passing** including 10 `proptest` cases that fuzz the wire boundary + semantic dispatch (~2,560 fuzzed assertions per CI run)
- **3 integration tests** against real Mosquitto in `.github/workflows/mqtt-integration.yml`
- **6 criterion benchmarks** — see [`docs/integrations/benchmarks.md`](../integrations/benchmarks.md)
- **ESP32 validation harness** — `scripts/validate-esp32-mqtt.sh` runs end-to-end against attached hardware
- **Witness bundle generator** — `scripts/witness-adr-115.sh` produces self-verifying tarballs
-
-## Benchmarks (laptop, release build)
-
-| Hot path | Measured | Target | Better |
-|---|---|---|---|
-| `state::event_fall` encode | 259 ns | <2 µs | 7.7× |
-| `rate_limiter::allow_first` | 49.7 ns | <100 ns | 2× |
-| `rate_limiter::allow_within_gap` | 62.1 ns | <100 ns | 1.6× |
-| `privacy::decide_hr_strip` | 0.24 ns | <50 ns | 208× |
-| `privacy::decide_presence_keep` | 0.24 ns | <50 ns | 208× |
-| `semantic::bus_tick_all_10_primitives` | 717 ns | <10 µs | 14× |
-
-Every target beaten by ≥1.6×, several by 100×+. Full numbers + reproduction recipe in [`docs/integrations/benchmarks.md`](../integrations/benchmarks.md).
-
-## Security
-
- **Wire-boundary audit** (`mqtt::security`) — topic-segment safety (rejects MQTT wildcards `+`/`#`, NUL, `/`), TLS path safety (NUL/newline rejection), 32 KB payload-size cap, credential-hygiene canary (`--mqtt-password` regression-detector), `RUVIEW_MQTT_STRICT_TLS=1` v0.8.0 upgrade path
- **5 property-based fuzz cases** in `mqtt::security::tests` covering random Unicode + injected wildcards/NULs at arbitrary offsets
- **`--privacy-mode`** enforced at every layer — discovery suppression + state stripping + Matter cluster gating
-
-## Reproducibility
-
-```bash
-git checkout v0.7.0
-cd v2
-cargo test -p wifi-densepose-sensing-server --no-default-features --lib       # 420 passed
-cargo test -p wifi-densepose-sensing-server --features mqtt --no-default-features --lib   # also 420 passed
-RUVIEW_RUN_INTEGRATION=1 cargo test -p wifi-densepose-sensing-server \
-    --features mqtt --no-default-features --test mqtt_integration -- --test-threads=1
-cargo bench -p wifi-densepose-sensing-server --features mqtt --bench mqtt_throughput
-cd ..
-bash scripts/witness-adr-115.sh
-cd dist/witness-bundle-ADR115-*/ && bash VERIFY.sh   # "ADR-115 witness bundle: VERIFIED ✓"
-```
-
-## Deferred to v0.7.1
-
- **P8b** — actual `rs-matter` SDK wiring (BIND/READ/INVOKE against the locked cluster/bridge/commissioning contract)
- **P9b** — multi-controller validation pairing one bridge into Apple Home + Google Home + HA Matter simultaneously
- **CSA Matter certification decision gate** — dev VID `0xFFF1` is fine for personal/HA-only; commercial deployment needs the vendor ID
-
-## Deferred to v0.8.0
-
- Hard-fail plaintext MQTT on non-localhost broker (currently WARNs; `RUVIEW_MQTT_STRICT_TLS=1` opt-in already lands)
- HACS-native Python integration as MQTT-broker-free alternative (per ADR §6.A)
-
-## Acknowledgements
-
-Maintainer ACK on all 13 ADR §9 open questions (#776). 17 commits on the feat branch, each phase-tagged. PR review: [#778](https://github.com/ruvnet/RuView/pull/778).
@@ -1,358 +0,0 @@
---
-title: "ADR-116 Research: Home Assistant + Matter Cognitum Seed Cog"
-date: 2026-05-23
-author: ruv
-status: research-complete
-relates-to: ADR-110, ADR-115
-sources:
-  - https://csa-iot.org/newsroom/matter-1-4-enables-more-capable-smart-homes/
-  - https://csa-iot.org/newsroom/matter-1-4-2-enhancing-security-and-scalability-for-smart-homes/
-  - https://docs.espressif.com/projects/esp-matter/en/latest/esp32c6/certification.html
-  - https://docs.espressif.com/projects/esp-matter/en/latest/esp32s3/optimizations.html
-  - https://matter-survey.org/cluster/0x0406
-  - https://developers.home-assistant.io/docs/core/integration-quality-scale/rules/
-  - https://www.hacs.xyz/docs/publish/integration/
-  - https://www.derekseaman.com/2025/11/aqara-fp300-the-ultimate-presence-sensor-home-assistant-edition.html
-  - https://www.tommysense.com/
-  - https://github.com/francescopace/espectre
-  - https://kendallpc.com/fdas-2026-guidance-on-general-wellness-devices-policy-for-low-risk-devices-key-compliance-and-regulatory-insights-for-digital-health-companies/
-  - https://www.troutman.com/insights/fdas-2026-guidance-on-general-wellness-devices-policy-for-low-risk-devices/
-  - https://community.st.com/t5/stm32-summit-q-a/what-is-the-usual-cost-for-a-matter-certification/td-p/652346
-  - https://github.com/p01di/esp32c6-thread-border-router
-  - https://libraries.io/npm/ruvllm-esp32
-  - https://github.com/ruvnet/RuView/blob/main/docs/adr/ADR-069-cognitum-seed-csi-pipeline.md
-  - https://www.matteralpha.com/news/home-assistant-2025-12-adds-enhancements-to-matter-sensor-doorlock-and-covering
-  - https://docs.nordicsemi.com/bundle/ncs-3.1.0/page/nrf/protocols/matter/getting_started/testing/thread_one_otbr.html
---
-
-# ADR-116 Research Dossier: Home Assistant + Matter Integration as a Cognitum Seed Cog
-
-**Research question**: How far can we take HA + Matter integration for WiFi-DensePose / RuView, specifically packaged as a Cognitum Seed cog running on the ESP32-S3 Seed appliance?
-
-**Baseline**: ADR-110 (ESP32-C6 mesh firmware, v0.7.0-esp32) and ADR-115 (HA-DISCO MQTT + HA-FABRIC Matter scaffold, v0.7.0) are both merged to main. This research scopes ADR-116.
-
---
-
-## 1. Matter / Thread Frontier
-
-### 1.1 Current specification state (May 2026)
-
-Matter 1.4 (released November 2024) added Solar Power, Battery Storage, Heat Pump, Water Heater, and Mounted Load Control device types — primarily energy-management expansion. It did NOT add health, wellness, vitals, or biometric device types. The cluster relevant to WiFi-DensePose is the **Occupancy Sensing cluster (0x0406)**, which has been present since Matter 1.1 and reached revision 5 in Matter 1.4.
-
-Matter 1.4.2 (current patch release as of research date) focused on security: vendor-ID cryptographic verification of Fabric Admins, Access Restriction Lists (ARLs) for network infrastructure devices, Certificate Revocation Lists (CRLs), and Wi-Fi-only commissioning without BLE. The Wi-Fi-only commissioning path (no BLE requirement) is directly relevant to the Seed, which hosts its own AMOLED UI and can display QR codes natively.
-
-**Occupancy Sensing cluster 0x0406 feature flags** (Matter 1.4 revision 5): PIR, Ultrasonic, PhysicalContact, ActiveInfrared, **Radar**, **RFSensing**, Vision, Prediction, OccupancyEvent. The `RFSensing` feature flag added in 1.3 is the correct semantic tag for CSI-based WiFi detection — we are not PIR or Radar in the classical sense. Home Assistant 2025.12 added configurable `HoldTime` for occupancy sensors and support for `CurrentSensitivityLevel`, both attributes our MQTT path already carries.
-
-**Breathing rate and heart rate have no Matter cluster today.** The spec does not define a BiomedicalSensing or VitalSigns device type. Until the CSA adds one (no public work item found as of May 2026), vitals must stay on MQTT. This is a hard architectural constraint for the Matter path.
-
-### 1.2 Thread Border Router on ESP32-C6
-
-The ESP32-C6 carries 802.15.4 natively (the same radio used for Thread and Zigbee). Espressif ships a working single-chip Thread Border Router reference design for C6 in `esp-matter`, confirmed by community hardware tests (p01di/esp32c6-thread-border-router on GitHub). The C6 can operate as a Thread BR while simultaneously sensing on 2.4 GHz Wi-Fi — the two radios share the same front-end but schedule airtime independently under ESP-IDF. ADR-110 already initializes the 802.15.4 subsystem (`c6_timesync.c`) for cross-node time sync; adding TBR functionality is a matter of enabling `CONFIG_OPENTHREAD_BORDER_ROUTER=y` in the C6 sdkconfig overlay, adding the `esp_openthread_border_router_init()` call, and exposing the backbone interface (Wi-Fi STA).
-
-**Thread 1.4 (TREL)**, shipped with Apple tvOS 26 in late 2025, adds Thread Radio Encapsulation Link — Thread traffic tunneled over Wi-Fi as a fallback backhaul. The C6's Wi-Fi 6 radio supports this. TREL removes the hard dependency on a BR for cross-subnet Thread commissioning, which means a C6-equipped Seed node could participate in a Thread fabric without a dedicated BR appliance.
-
-### 1.3 Matter Commissioner / Root mode
-
-In Matter terms, a Commissioner is a distinct role from an Accessory (end device) or Bridge. The Matter spec allows a device to be simultaneously a Fabric member (commissioned) and a Commissioner (able to commission other devices). The `chip-tool` in `connectedhomeip` is the canonical embeddable commissioner implementation. Running chip-tool on the S3 (512 KB SRAM + 8 MB PSRAM) is feasible but borderline — the commissioner stack requires Thread discovery, BLE central, and certificate-chain verification, adding approximately 400–600 KB RAM footprint on top of the application. On the S3 with 8 MB PSRAM mapped to heap this is tractable; on the C6 (320 KB SRAM, no PSRAM) it is not.
-
-**Practical recommendation**: the Cognitum Seed (S3 + PSRAM + full appliance OS) is the right place to host a Matter commissioner, not the C6 sensing nodes. The Seed can use its existing bearer-token API surface and its cognitum-fleet process (port 9002) as the orchestration layer that opens commissioning windows and bootstraps C6 nodes into the Fabric. C6 nodes remain Accessories only.
-
-### 1.4 CSA certification path
-
-Certification requires: (1) CSA membership (~$22,500/year for full member; lower tiers exist), (2) an Authorized Test Laboratory (ATL) engagement (~$10,000–$19,540 per product for lab fees and certification application), (3) PICS/PIXIT XML submission, (4) hardware shipping to the ATL, and (5) registration on the Distributed Compliance Ledger (DCL). Espressif provides pre-certified radio modules (ESP32-C6-MINI-1, ESP32-S3-MINI-1) which can reduce retesting scope under CSA's Rapid Recertification program — only clusters/device-types added beyond the pre-certified baseline require full ATL re-test. Using `esp-matter` with a pre-certified Espressif module, the realistic total cost for bridge certification is **$30,000–$42,000 first year, $22,500/year thereafter** for a full CSA member, or less if using a pass-through arrangement via an ODM partner that already holds membership.
-
-**Alternative**: publish as "Works with Home Assistant" (free, no CSA ATL, just integration tests) and defer CSA certification to v1.1 when commercial customers require it. The `RFSensing` device class and OccupancySensing cluster are already well-supported in the HA Matter integration without certification.
-
-**Key sources**: [Espressif Matter certification guide](https://docs.espressif.com/projects/esp-matter/en/latest/esp32c6/certification.html), [CSA certification process overview](https://csa-iot.org/certification/), [ST community cost discussion](https://community.st.com/t5/stm32-summit-q-a/what-is-the-usual-cost-for-a-matter-certification/td-p/652346), [Nordic Rapid Recertification notes](https://devzone.nordicsemi.com/f/nordic-q-a/116005/csa-iot-rapid-recertification-program), [ESP32-C6 single-chip TBR](https://github.com/p01di/esp32c6-thread-border-router).
-
---
-
-## 2. HACS Distribution
-
-### 2.1 What HACS unlocks beyond MQTT auto-discovery
-
-MQTT auto-discovery (HA-DISCO, shipped in ADR-115) creates entities automatically but the integration surface is constrained:
-
-| Capability | MQTT auto-discovery | HACS Python integration |
-|---|---|---|
-| Config flow (UI setup without YAML) | no — user edits MQTT broker settings manually | yes — wizard walks user through seed URL, token, privacy options |
-| Repairs API | no | yes — surfaces structured error reasons ("node offline", "firmware mismatch") as HA repair cards |
-| Diagnostics download | no | yes — button in HA device page exports a JSON bundle for bug reports |
-| Re-authentication flow | no | yes — handles token expiry without user needing to touch YAML |
-| Device registry deep links | partial — via_device works | yes — full device info page, firmware version, last-seen, signal quality |
-| Service actions | no | yes — `wifi_densepose.set_privacy_mode`, `wifi_densepose.calibrate_zone` as typed HA services |
-| Config entry options | no | yes — change polling interval, privacy mode, zone layout from HA UI |
-| Translations (i18n) | no | yes — strings.json enables localized entity names and setup UI |
-| Integration quality scale tier | n/a | bronze is minimum; gold (diagnostics + repairs + discovery) is the target |
-| HACS listing | not applicable | yes — users install via HACS Store in one click |
-
-### 2.2 Quality Scale targets
-
-HA's quality scale has four tiers. **Bronze** (19 rules) is the minimum: config_flow, unique entity IDs, test coverage, basic documentation. **Silver** adds 95%+ test coverage and re-authentication. **Gold** adds repairs flows, diagnostics, reconfiguration flows, device categories and translations — this is the target for a v1 HACS integration because it meets the bar set by well-regarded third-party integrations like Z-Wave JS and ESPresense. **Platinum** adds strict typing, async dependency injection, and websession management — worth pursuing but not on the v1 critical path.
-
-### 2.3 HACS submission requirements
-
-HACS requires: public GitHub repo, repo description, topic tags, README, single custom component at `custom_components/wifi_densepose/`, `manifest.json` with `domain`, `documentation`, `issue_tracker`, `codeowners`, `name`, `version` fields, and a `brand/icon.png`. No formal approval process — listing is automatic once requirements are met via HACS default repositories submission. HA's `hassfest` CI tool validates the manifest structure and can be added to the repo's CI pipeline as a workflow step.
-
-The `hacs.integration_blueprint` template (github.com/jpawlowski/hacs.integration_blueprint) provides a well-maintained starting point with all boilerplate including config flow, repairs, diagnostics, and translations scaffolding.
-
-**Key sources**: [HA quality scale rules](https://developers.home-assistant.io/docs/core/integration-quality-scale/rules/), [HACS publish guide](https://www.hacs.xyz/docs/publish/integration/), [HACS 2.0 announcement](https://www.home-assistant.io/blog/2024/08/21/hacs-the-best-way-to-share-community-made-projects-just-got-better/), [integration blueprint](https://github.com/jpawlowski/hacs.integration_blueprint).
-
---
-
-## 3. Cog Architecture for the Seed
-
-### 3.1 Current cog packaging model
-
-Based on ADR-069 and the cognitum-v0 appliance surface observed in the fleet:
-
- Cogs are signed binaries distributed via GCS buckets and cataloged at `GET /api/v1/edge/registry` (ADR-102).
- Each binary is verified against an **Ed25519 signature** before installation (ADR-100). The device-bound keypair lives in NVS on the Seed.
- Cog binaries are platform-specific: `aarch64` for Pi-based Seed appliances, `x86_64` for the desktop appliance, and (from ADR-069) the feature-vector packet format (`edge_feature_pkt_t`, magic `0xC5110003`) defines the ESP32 side of the protocol. The cog runs on the Seed appliance, not directly on the ESP32.
- The registry catalog at `seed.cognitum.one/store` lists 105 cogs with capability declarations. The Seed's `cognitum-ota-registry` (port 9003) handles OTA delivery.
- Capability declarations include dependency lists, required Seed version, permission scopes (network, storage, MCP tool invocations), and resource budgets (max RAM, max CPU).
-
-### 3.2 Proposed HA+Matter cog architecture
-
-The cog runs as a long-lived process on the Seed (aarch64 binary, supervised by `cognitum-agent`). It owns two surfaces:
-
-**Surface A — MQTT bridge**: connects to a user-configured Mosquitto broker (or uses the Seed's internal broker), republishes telemetry from the Seed's `ruview-vitals-worker` (port 50054) as HA auto-discovery messages. This reuses the HA-DISCO logic already in `wifi-densepose-sensing-server` but runs as a Seed-native cog rather than requiring the user to run the sensing-server separately. The cog registers a `ha_mqtt` MCP tool (114-tool catalog) so automations running on other cogs can call `ha_mqtt.publish_state(entity_id, state)`.
-
-**Surface B — Matter bridge**: wraps `esp-matter` / `matter-rs` as a Matter Accessory Bridge. The Seed acts as a WiFi-connected Matter Bridge — one Fabric node with N dynamic endpoints, one per sensing zone. Device types used: `OccupancySensor` (0x0107, clusters: `OccupancySensing 0x0406` with `RFSensing` feature flag + `BooleanState 0x0045`), `ContactSensor` for fall events, and a vendor-specific numeric attribute for person count on the Bridge root endpoint. The Seed's AMOLED display shows the Matter QR code for commissioning — no phone or scanning app required.
-
-**Surface C — HA HACS integration (optional for users without MQTT)**: a Python package in `custom_components/wifi_densepose/` that speaks directly to the Seed's REST API (`/api/v1/`, bearer token from cognitum-agent on port 80) and bootstraps config flow, entities, repairs, and diagnostics as described in §2.
-
-**Deployment topology**: Seed acts as hub for all sensing nodes (ESP32-S3 and C6). Nodes stream feature vectors to the Seed over UDP (ADR-069 protocol). The cog translates these into HA entities, Matter endpoints, and (via Surface C) HACS entity objects. One cog install covers an unlimited number of ESP32 nodes behind that Seed.
-
-### 3.3 Should the cog speak MQTT or publish Matter directly?
-
-**MQTT to local HA is the lower-risk, faster path**: it requires no Matter SDK linkage, no CSA certification, and reuses the existing HA-DISCO logic. Matter direct publishing requires the Seed to hold a valid Fabric certificate (obtained through the commissioning flow with the user's HA or Apple Home controller), manage operational credentials, and handle rekey events. The overhead is manageable on the Seed (S3 processor + Pi aarch64 appliance stack), but the development and QA cost is 3-4x higher. The recommended architecture is: **MQTT as primary, Matter as secondary** — matching ADR-115's dual-protocol decision but now native to the cog.
-
-**Key sources**: [ADR-069 CSI pipeline](https://github.com/ruvnet/RuView/blob/main/docs/adr/ADR-069-cognitum-seed-csi-pipeline.md), [ESP32 Matter Bridge example](https://project-chip.github.io/connectedhomeip-doc/examples/bridge-app/esp32/README.html), [Tasmota Matter internals](https://tasmota.github.io/docs/Matter-Internals/), [cognitum-v0 fleet stack].
-
---
-
-## 4. Local-First AI: ruvllm + RuVector on the Seed
-
-### 4.1 Hardware budget
-
-The Cognitum Seed (ESP32-S3 variant: 8 MB PSRAM + 16 MB flash; Pi 5 variant: 8 GB RAM, Hailo AI hat) has two distinct execution environments. For on-Seed inference the numbers differ dramatically:
-
-| Target | RAM headroom for inference | Flash/storage | Typical INT8 model ceiling |
-|---|---|---|---|
-| ESP32-S3 (8 MB PSRAM) | ~5 MB after OS + MQTT + Matter stack | 16 MB flash | 3–5 MB quantized model (e.g., MobileNetV2-class) |
-| Pi 5 Seed (8 GB RAM, Hailo-10) | ~6 GB free | NVMe | 40 TOPS hardware acceleration; 7B INT4 models feasible |
-| cognitum-v0 Pi 5 (Hailo via ruvector-hailo-worker) | 6 GB RAM + Hailo | NVMe | 40 TOPS; Hailo HEF deployment |
-
-For a **semantic-primitives inference cog running on the ESP32-S3 Seed**, the target is an INT8-quantized classifier that takes the 8-dimensional feature vector (`edge_feature_pkt_t`) as input and outputs 10 semantic primitive probabilities. This is a trivially small model (8 → 64 hidden → 10 outputs, ~10 KB quantized) — it fits entirely in SRAM without needing PSRAM. The ruvllm-esp32 library (npm: `ruvllm-esp32 0.3.3`, cargo: `ruvllm-esp32 0.3.2`) confirms this path: INT8 quantization, HNSW vector search, and SONA self-optimizing adaptation in under 100 µs per query.
-
-### 4.2 SONA fine-tuning loop
-
-The ruvllm SONA (Self-Optimizing Neural Architecture) adapter performs online gradient descent on LoRA-style adapter weights in under 100 µs per query. For the 10-semantic-primitive classifier, this means the Seed can fine-tune its thresholds per-home using occupant feedback without any cloud round-trip:
-
-1. User confirms a false positive via HA notification (e.g., "that was not a fall, I just sat down quickly").
-2. Feedback is recorded via the cog's `ha_mqtt.feedback` MCP tool.
-3. SONA runs one gradient step on the LoRA adapter weights for the `fall_risk_elevated` primitive.
-4. New weights are written to NVS on the ESP32-S3. The witness chain records the adaptation event with a timestamp.
-
-For the Pi 5 Seed with Hailo-10 (40 TOPS), this extends to full 7B-class LoRA fine-tuning using the Hailo HEF pipeline already running at port 50051 (`ruvector-hailo-worker`). The `ruvllm-microlora-adapt` MCP tool in the cog catalog covers this path.
-
-**Latency budget**: 8-dim → 10-output classifier: <1 ms on S3 SRAM (well within 20 Hz update cadence). SONA one-step gradient: <100 µs per adaptation event. Total per-inference overhead: negligible.
-
-### 4.3 RuVector embeddings for room-level semantic context
-
-The Seed's RuVector 2.0.4 integration (ADR-016) maintains HNSW embeddings of CSI feature vectors. The semantic primitives (sleeping, distress, meeting, etc.) can be implemented as HNSW nearest-neighbor lookups against a learned embedding space rather than threshold classifiers — this is more robust to room geometry variation. The `embeddings_rabitq_search` tool (RaBitQ approximate NN) supports sub-millisecond search on the ESP32-S3 PSRAM-hosted index. At 8 dimensions and 1,000 stored vectors, the HNSW index occupies approximately 200 KB — comfortably within PSRAM budget.
-
-**Key sources**: [ruvllm-esp32 on libraries.io](https://libraries.io/npm/ruvllm-esp32), [ESP32-S3 TinyML optimization guide](https://zediot.com/blog/esp32-s3-tinyml-optimization/), [edge LLM deployment 2025](https://kodekx-solutions.medium.com/edge-llm-deployment-on-small-devices-the-2025-guide-2eafb7c59d07), [LoRA-Edge paper](https://arxiv.org/pdf/2511.03765).
-
---
-
-## 5. Multi-Seed Federation
-
-### 5.1 Discovery mechanisms
-
-Three viable discovery layers for two Seeds in adjacent rooms:
-
-**mDNS**: each Seed already advertises `_ruview._tcp` and `_matter._tcp` on the LAN. A second Seed can discover the first via `mdns-sd` query at startup and register it as a peer node. The cognitum-fleet service (port 9002) already implements fleet orchestration; adding peer-to-peer node registration is an extension of that model. **Caveat**: mDNS is link-local and does not cross VLANs. For multi-VLAN deployments (common in prosumer and commercial setups), a Tailscale overlay (the project already has a fleet on Tailscale — see CLAUDE.local.md) provides routable discovery at the cost of adding the Tailscale daemon to the cog's dependency list.
-
-**Matter multi-admin**: once both Seeds are commissioned to the same Matter Fabric (e.g., via HA's Matter integration), the Fabric provides a shared namespace. However, Matter does not define a cross-device occupancy-handoff event — it only publishes per-device state. Handoff logic must live in HA automations or in the Seed cog's federation layer.
-
-**Direct ESP-NOW mesh (ADR-110)**: the C6 nodes already run ESP-NOW with 99.56% RX reliability. Two Seeds each hosting C6 nodes can use ESP-NOW as the real-time cross-node synchronization bus — one C6 detects motion entering a room, broadcasts the event over ESP-NOW, the adjacent C6 primes its detector, and the Seed coordinator reconciles the two Occupancy states. This is the lowest-latency path (sub-millisecond over ESP-NOW vs. hundreds of milliseconds over MQTT → HA automation → MQTT).
-
-### 5.2 Conflict resolution for simultaneous fall detection
-
-When two sensing nodes both fire `fall_detected=true` within a short window, the cog applies a simple deduplication rule: the detection with the higher `presence_score` wins, and a 5-second exclusion window is applied on the lower-scoring node (matching the fall debounce logic from the firmware — 3-frame consecutive + 5 s cooldown). The winner's event is forwarded to HA as the canonical fall event. The loser is recorded in the witness chain with a `DEDUP_SUPPRESSED` tag for audit.
-
-For cross-room occupancy, the cog maintains a **single-occupancy graph**: if node A detects person_count=1 and node B simultaneously detects person_count=1, and the two nodes are configured as adjacent rooms, the cog checks whether person_count in the home (sum of all node counts) is consistent with known occupant count (configurable, defaults to household size from HA's `persons` entity). Inconsistency triggers a `multi_room_transition` event published to HA rather than both nodes claiming simultaneous presence.
-
-### 5.3 Witness chain for cross-Seed events
-
-ADR-069 defines a SHA-256 tamper-evident witness chain per node. For cross-Seed events, the chain must include a cross-reference: each Seed's witness head at the time of the event is included in the other's chain entry. The cog implements this via a shared `witness_sync` MCP tool that both Seeds call before writing a cross-node event. This produces a bifurcated chain that any third party can verify for temporal consistency.
-
-**Key sources**: [Matter multi-admin guide](https://mattercoder.com/codelabs/how-to-use-multi-admin/), [ESP-NOW mesh ADR-110 witness log](../WITNESS-LOG-110.md), [HA mDNS cross-VLAN thread](https://niksa.dev/posts/ha-vlan/), [home-assistant-matter-hub mDNS issue](https://github.com/t0bst4r/home-assistant-matter-hub/issues/237).
-
---
-
-## 6. Competitor Analysis
-
-### 6.1 Aqara FP2 and FP300
-
-**FP2** (mmWave, Wi-Fi): presence, person count (up to 5), 30 zones with 320 detection areas, fall detection. HA integration via native Zigbee or Matter (Thread firmware). Matter mode is severely limited per user testing — configurable parameters are stripped and sensitivity settings are unavailable. Zigbee mode (via Zigbee2MQTT) is the recommended HA path. **No vitals (HR/BR), no pose.** Privacy story: local processing, no cloud required for automations.
-
-**FP300** (5-in-1: mmWave + PIR + light + temperature + humidity, Matter-over-Thread): presence (binary only), temperature, humidity, light level. No person count, no fall detection, no vitals. Thread firmware gives 5 HA entities. Matter mode is functional but configuration-limited. Battery-powered (2× CR2450, ~2 years in Thread mode). **Verdict**: Aqara's Matter story is hardware-first but software-limited. Their Matter device class choice is `OccupancySensor` with standard PIR/Radar bitmap — no `RFSensing` flag.
-
-### 6.2 TOMMY (tommysense.com)
-
-Wi-Fi CSI sensing for HA. Uses ESP32 nodes. Exposes zones as binary sensors (MQTT, port 1886) and as Matter `OccupancySensor` endpoints (QR-based pairing). Motion and presence only — no vitals, no pose, no fall detection. Privacy: fully local, one periodic license-check outbound call. Closed-source algorithm and firmware; open-source HA integration. **Pricing**: free trial (1 zone, 2-min pause per 2 min of detection), Pro (unlimited zones, continuous). **Key gap vs RuView**: no HR/BR, no pose keypoints, no fall detection, no witness chain, no SONA adaptation.
-
-### 6.3 ESPectre (github.com/francescopace/espectre)
-
-Open-source CSI motion detection with HA integration (HACS). ESP32-only. Motion detection via RSSI phase variance analysis — no person counting, no vitals, no fall detection. Python-based HA custom component. No Matter support. **Verdict**: proof-of-concept quality; not a commercial competitor but demonstrates demand for the HACS distribution path.
-
-### 6.4 Frigate NVR
-
-Video-based local AI NVR. MQTT integration with HA creates binary sensors (`binary_sensor.frigate_<camera>_person_motion`), person count sensors, and clip/snapshot sensors per camera. All inference on-device (Coral EdgeTPU or Hailo). **Privacy**: fully local, no cloud. Frigate's MQTT entity catalog per camera: 1 camera stream entity, N object detection binary sensors (person, car, dog, etc.), N object count sensors. No vitals, no pose skeleton. Matter support: none in Frigate itself. **Key privacy contrast vs RuView**: Frigate requires cameras (video pixels), RuView uses RF only — privacy advantage in bedrooms, bathrooms, and care settings.
-
-### 6.5 RoomMe (Intellithings)
-
-Bluetooth LE room presence using smartphone proximity. Supports HomeKit and some smart-device ecosystems. No native HA integration, no MQTT, no Matter. High per-unit cost ($69). No vitals, no fall detection. Not a real competitor for the CSI/mmWave presence category.
-
-### 6.6 Competitor entity catalog comparison
-
-| Feature | RuView (ADR-115) | Aqara FP2 | Aqara FP300 | TOMMY | Frigate |
-|---|---|---|---|---|---|
-| Presence (binary) | yes | yes | yes | yes | yes (person class) |
-| Person count | yes | yes (5 max) | no | no | yes (per class) |
-| HR / BR | yes | no | no | no | no |
-| Pose keypoints | yes (17-pt) | no | no | no | no |
-| Fall detection | yes | yes | no | no | no |
-| Semantic primitives | yes (10) | no | no | no | no |
-| Multi-room handoff | yes (cog) | no | no | no | no |
-| Privacy mode | yes (wire-strip) | local only | local only | local only | local only |
-| HACS integration | roadmap | no | no | yes | yes |
-| Matter native | yes (bridge) | yes (limited) | yes | yes | no |
-| Witness chain | yes | no | no | no | no |
-
-**Key sources**: [Aqara FP300 HA review](https://www.derekseaman.com/2025/11/aqara-fp300-the-ultimate-presence-sensor-home-assistant-edition.html), [TOMMY product page](https://www.tommysense.com/), [ESPectre GitHub](https://github.com/francescopace/espectre), [Frigate NVR docs](https://frigate.video/), [mmWave presence sensors 2026 comparison](https://www.linknlink.com/blogs/guides/best-mmwave-presence-sensors-home-assistant-2026).
-
---
-
-## 7. Regulatory Frontier
-
-### 7.1 FDA classification landscape (2026 update)
-
-The FDA issued updated General Wellness Device guidance on January 6, 2026. Key clarifications relevant to WiFi-DensePose:
-
-**Wellness device criteria** (functions that keep the product outside FDA jurisdiction): the device must (a) have low inherent risk to user safety, (b) make no reference to specific diseases or conditions, and (c) not provide diagnostic or treatment outputs. Examples in the guidance: heart rate monitoring, sleep tracking, activity/recovery metrics, oxygen saturation trends — all qualify as wellness when marketed without diagnostic claims.
-
-**Claims that trigger medical device classification**: any output labeled as "abnormal, pathological, or diagnostic"; recommendations concerning clinical thresholds or treatment; ongoing clinical monitoring or alerts for medical management; substitution for an FDA-approved device. A fall detection feature framed as "alert a caregiver when you might have fallen" is materially different from one framed as "diagnose fall injury" — the former qualifies as wellness under the 2026 guidance; the latter does not.
-
-**The defensible wellness-device position for RuView**: (a) market fall detection as an "activity anomaly notification" not a "medical fall diagnosis"; (b) include explicit disclaimers against diagnostic or clinical use in app-store descriptions, labeling, and HA integration documentation; (c) avoid "medical-grade" accuracy claims for HR/BR readings; (d) position the device as a "smart home occupancy and wellness assistant" rather than a "patient monitoring system."
-
-### 7.2 HIPAA applicability
-
-HIPAA applies only when an entity is a HIPAA "covered entity" (healthcare providers, health plans, clearinghouses) or their "business associate." A consumer smart home product sold direct-to-homeowners is not automatically a covered entity. However, HIPAA applicability is triggered if the Seed's data flows into a covered entity's system (e.g., a care facility's EHR). The privacy-mode flag in ADR-115 (stripping HR/BR/pose at the wire, publishing only semantic state digests) creates a technical barrier to PHI transmission that supports a "not a covered entity" position.
-
-**All 50 US states** impose data breach notification requirements regardless of HIPAA status. The witness chain (SHA-256 tamper-evident audit log per node) satisfies most state-level data-integrity requirements.
-
-### 7.3 Matter Health-Check device class
-
-Matter currently has no "Health" or "Wellness" device class in the formal taxonomy. The closest is `OccupancySensor` with the `RFSensing` feature flag. The device type `0x0107` (OccupancySensor) in the DCL will not trigger any health-device regulatory scrutiny. Using this device type keeps the Seed in the same regulatory category as a smart motion sensor — well outside the medical device perimeter.
-
-**Key sources**: [FDA 2026 General Wellness guidance (Kendall PC)](https://kendallpc.com/fdas-2026-guidance-on-general-wellness-devices-policy-for-low-risk-devices-key-compliance-and-regulatory-insights-for-digital-health-companies/), [Troutman Pepper Locke analysis](https://www.troutman.com/insights/fdas-2026-guidance-on-general-wellness-devices-policy-for-low-risk-devices/), [IEEE Spectrum FDA device rules](https://spectrum.ieee.org/fda-medical-device-rules), [FDA wellness tracker / cybersecurity interlock (Troutman)](https://www.troutman.com/insights/wellness-trackers-medical-status-and-cybersecurity-how-fda-ftc-and-state-laws-interlock/).
-
---
-
-## 8. Frontier Features Worth Shipping
-
-### 8.1 HACS marketplace listing
-
-**Build cost**: medium (4–6 weeks for a gold-tier integration). **User impact**: very high — one-click install removes the MQTT broker prerequisite for non-power-users.
-
-Architecture: Python package at `custom_components/wifi_densepose/`, config flow that discovers Seeds via mDNS (`_ruview._tcp`) or manual IP, bearer token authentication against `GET /api/v1/status`, full entity catalog matching ADR-115 §3.1 (21 entities per node), repairs for offline nodes, diagnostics export, translations for EN/FR/DE/ES. Start from `hacs.integration_blueprint` template. Submit via HACS default repositories GitHub submission.
-
-### 8.2 Matter Bridge with OccupancySensor / ContactSensor / BooleanState
-
-**Build cost**: high (6–8 weeks including CI test harness with chip-tool simulator). **User impact**: high for Apple Home / Google Home users who don't run HA.
-
-Device type mapping:
- Presence → `OccupancySensor (0x0107)` with `OccupancySensing (0x0406)`, `RFSensing` feature flag set, `HoldTime` attribute wired to sensing-server's zone dwell time.
- Fall detected → `ContactSensor (0x0015)` used as event source (state: `true` for 5 s after fall, then auto-reset) — closest available device type until a FallEvent device type exists in the spec.
- Person count → vendor-specific attribute on the Bridge root endpoint (`VendorSpecificAttributeCount`, cluster 0xFFF1_xxxx namespace).
-
-Memory on S3: baseline Matter stack ~1.5 MB flash, ~195 KB DRAM + PSRAM heap; BLE freed post-commissioning recovers ~100 KB. 16 dynamic endpoints (default maximum, configurable per `NUM_DYNAMIC_ENDPOINTS`) costs ~550 bytes DRAM each. For 8 zones: 8 × 550 = 4.4 KB additional DRAM — well within budget. Wi-Fi-only commissioning (Matter 1.4.2) eliminates BLE requirement, simplifying the Seed hardware path.
-
-### 8.3 Cognitum Seed cog manifest + signing
-
-**Build cost**: low (1–2 weeks). **User impact**: enables one-tap install from the Cognitum Seed store.
-
-Manifest structure (based on ADR-069/ADR-100 patterns):
-```json
-{
-  "id": "cog-ha-matter-v1",
-  "version": "1.0.0",
-  "platforms": ["aarch64", "x86_64"],
-  "min_seed_version": "0.8.1",
-  "capabilities": ["network.mqtt", "network.matter", "api.ruview_vitals"],
-  "resource_budget": {"ram_mb": 128, "cpu_percent": 15},
-  "signing_key_id": "ed25519:ruv-cog-signing-v1",
-  "registry_url": "https://seed.cognitum.one/store/cog-ha-matter",
-  "ha_integration_repo": "https://github.com/ruvnet/hass-wifi-densepose"
-}
-```
-Binary signing uses the existing Ed25519 keypair infrastructure from ADR-100. The `cognitum-ota-registry` (port 9003) handles delivery. The cog declaration includes the companion HACS integration GitHub URL so the Seed UI can prompt the user to install the HACS companion if they have HA detected on the LAN.
-
-### 8.4 Local SONA fine-tuning loop for per-home thresholds
-
-**Build cost**: low (2–3 weeks, given ruvllm-esp32 already provides the primitives). **User impact**: high — eliminates false positives that are the top complaint for presence/fall sensors in HA forums.
-
-Implementation: HA sends feedback events via an MQTT command topic (`homeassistant/wifi_densepose/<node>/cmd/feedback`). The cog's SONA adapter processes the feedback as a labeled training example and runs one gradient step. After 20 feedback events, it triggers a witness-chain-attested weight checkpoint. The HACS integration surfaces this as a "Improve detection accuracy" button in the HA device page, pointing users to a simple thumbs-up/thumbs-down UI on the last 10 events.
-
-### 8.5 Multi-room presence handoff
-
-**Build cost**: medium (3–4 weeks). **User impact**: high — eliminates the "ghost occupancy" problem where HA thinks two rooms are occupied when a person walks from one to the other.
-
-Implementation: the cog runs a presence graph across all Seeds in the fleet. Nodes declare themselves adjacent via the manifest or via HA area assignment. When person_count transitions (room A: 1→0, room B: 0→1) within a configurable window (default 3 s), the cog publishes a single `multi_room_transition` event to HA with `from_zone` and `to_zone` fields, and holds the `person_count=1` in the destination room rather than briefly showing 0 in both. This is a cog-side state machine, not an HA automation — it runs at 20 Hz loop cadence.
-
-### 8.6 Energy disaggregation: pairing vitals with HA energy entities
-
-**Build cost**: medium (3–4 weeks). **User impact**: medium-high for sustainability-focused users.
-
-Non-Intrusive Load Monitoring (NILM) in HA already exists as a community blueprint (github.com/tronikos NILM blueprint). The opportunity for RuView is the inverse: rather than using energy to infer occupancy, use RuView's presence data to validate NILM's occupancy assumptions. When RuView reports presence_score < 0.1 (no one home) but the NILM model predicts an active appliance load inconsistent with unoccupied state (e.g., a TV left on), HA can surface a "phantom load detected" notification. The cog publishes a `phantom_load_candidate` event when this condition holds for more than 5 minutes. Pairs with HA's Energy dashboard (introduced in 2021, stable since 2023) and the `homeassistant/sensor/<node>/phantom_load/config` MQTT discovery topic.
-
-### 8.7 Privacy-mode "audit logs only"
-
-**Build cost**: low (1 week, extends existing `--privacy-mode` flag from ADR-115). **User impact**: high for HIPAA-adjacent deployments (care facilities, eldercare) and for GDPR-jurisdiction users.
-
-Three privacy tiers:
- `none`: full telemetry (HR, BR, pose, presence, count) published to MQTT and Matter.
- `semantic` (default): HR/BR/pose stripped at wire; semantic primitives (10 states) published only.
- `audit-only`: no MQTT state messages; only SHA-256 digests of events logged to the witness chain on the Seed. HA receives heartbeat-only availability messages. Suitable for deployments where the home network is untrusted or subject to external logging.
-
-The audit-only mode is a defensible HIPAA/GDPR position for integrators deploying in care settings — the Seed holds the event record, the network carries nothing personally identifiable.
-
---
-
-## Recommended Scope for HA+Matter Cog v1
-
-Ranked by **build cost × user impact** (low cost + high impact first):
-
-| Priority | Feature | Build effort | User impact | Ships in |
-|---|---|---|---|---|
-| 1 | **Privacy-mode audit-only tier** (§8.7) | 1 week | High (care/GDPR deployments) | v0.7.1 |
-| 2 | **Seed cog manifest + signing** (§8.3) | 1–2 weeks | High (Seed store distribution) | v0.7.1 |
-| 3 | **Local SONA fine-tuning loop** (§8.4) | 2–3 weeks | High (false-positive reduction) | v0.7.1 |
-| 4 | **HACS integration (gold tier)** (§8.1) | 4–6 weeks | Very high (removes MQTT prereq) | v0.7.2 |
-| 5 | **Multi-room presence handoff** (§8.5) | 3–4 weeks | High (ghost occupancy fix) | v0.7.2 |
-| 6 | **Matter Bridge OccupancySensor + ContactSensor** (§8.2) | 6–8 weeks | High (Apple/Google Home reach) | v0.8.0 |
-| 7 | **Energy disaggregation phantom-load** (§8.6) | 3–4 weeks | Medium-high (sustainability niche) | v0.8.0 |
-| 8 | **Thread Border Router on C6** (§1.2) | 2–3 weeks (config only) | Medium (Thread-fabric users) | v0.8.0 |
-| 9 | **CSA Matter certification** (§1.4) | $30–42k + 3–6 months | Medium (commercial badge) | post-v1.0 |
-
-**Deferred**: Seed-as-Matter-Commissioner (feasible on S3 appliance but requires full chip-tool port; defer to v1.0), full HA quality-scale platinum tier (gold is sufficient for v1 HACS listing), NILM phantom-load (ships as experimental blueprint first, then proper integration).
-
-**Recommended v0.7.1 sprint**: privacy-mode audit tier + cog manifest + SONA fine-tuning = 4–5 weeks total, fully within the existing Rust + ESP32 codebase with no new dependencies. This sprint closes the most impactful gap (care deployments + per-home personalization) before the heavier HACS/Matter work begins.
-
---
-
-*Research methodology: 8 parallel web search passes, 12 targeted page fetches, cross-referenced against ADR-115 and ADR-110 source files. Evidence grade: High for Matter cluster specifications, FDA guidance, HACS requirements, and ESP32-S3 memory numbers. Medium for CSA certification cost estimates (sourced from forum discussion, not official price list). Low for ruvllm SONA per-home fine-tuning feasibility (derived from library documentation, not benchmarked on Seed hardware). Open question: whether ESP32-S3 PSRAM heap is sufficient for the full Matter Bridge stack alongside the existing sensing-server runtime — a build-and-measure step is needed before committing to the v0.8.0 Matter bridge sprint.*
@@ -693,42 +693,6 @@ time. Use it to align multistatic frames from sibling boards.

 ---

-## Home Assistant + Matter integration
-
-Full design + operator guide: [`docs/integrations/home-assistant.md`](integrations/home-assistant.md) (ADR-115).
-
-### 30-second Mosquitto-add-on flow
-
-1. Inside Home Assistant, install the **Mosquitto broker** add-on from the Add-on Store and start it.
-2. In HA, **Settings → Devices & Services → Add Integration → MQTT**, point at the broker.
-3. Start the sensing-server with MQTT:
-
-   ```bash
-   docker run --rm --net=host ruvnet/wifi-densepose:0.7.0 \
-       --source esp32 --mqtt --mqtt-host <ha-host-ip>
-   ```
-4. Within ~5 seconds HA auto-creates one **device** per RuView node with 21 entities: 11 raw signals (presence, person count, HR, BR, motion, fall, RSSI, zones, pose, …) plus 10 semantic primitives (someone-sleeping, possible-distress, room-active, elderly-inactivity-anomaly, meeting, bathroom, fall-risk, bed-exit, no-movement, multi-room-transition).
-
-### Privacy mode for healthcare / AAL
-
-```bash
-sensing-server --mqtt --mqtt-host <broker> --mqtt-tls --privacy-mode
-```
-
-`--privacy-mode` strips heart rate, breathing rate, and pose keypoints from MQTT **and** Matter — they never reach the wire. Semantic primitives stay published because they're inferred *states* server-side, not biometric *values*. This is the architectural win that makes ADR-115 healthcare- and enterprise-deployable.
-
-### Matter Bridge (Apple Home / Google Home / Alexa / SmartThings)
-
-```bash
-sensing-server --matter --matter-setup-file /var/run/ruview-matter.txt
-```
-
-Open `/var/run/ruview-matter.txt` for the Matter pairing QR / 11-digit setup code. Scan it from Apple Home / Google Home / your HA Matter integration. RuView appears as a Bridged Device with one occupancy endpoint per node + per zone, plus a momentary switch for fall events.
-
-Detailed entity reference, blueprint catalog, troubleshooting recipe matrix: see [`docs/integrations/home-assistant.md`](integrations/home-assistant.md).
-
---
-
 ## Web UI

 The built-in Three.js UI is served at `http://localhost:3000/ui/` (Docker) or the configured HTTP port.
@@ -1,51 +0,0 @@
-blueprint:
-  name: RuView — notify on possible distress
-  description: >
-    Send a push notification when RuView's HA-MIND inference layer
-    detects sustained elevated heart rate + agitated motion without a
-    fall (possible_distress primitive). Includes the explainability
-    reason payload so the recipient knows why the alert fired.
-    Part of the ADR-115 §3.12 starter blueprint set.
-  domain: automation
-  source_url: https://github.com/ruvnet/RuView/blob/main/examples/ha-blueprints/01-notify-on-possible-distress.yaml
-  input:
-    distress_entity:
-      name: Possible distress binary_sensor
-      description: The `binary_sensor.*_possible_distress` entity published by RuView.
-      selector:
-        entity:
-          domain: binary_sensor
-    notify_target:
-      name: Notification service
-      description: Notify service to call (e.g. `notify.mobile_app_pixel_8`).
-      selector:
-        text: {}
-    cooldown_minutes:
-      name: Cooldown (minutes)
-      description: Suppress repeat alerts within this window.
-      default: 15
-      selector:
-        number:
-          min: 0
-          max: 240
-          unit_of_measurement: minutes
-
-mode: single
-max_exceeded: silent
-
-trigger:
-  - platform: state
-    entity_id: !input distress_entity
-    from: "off"
-    to: "on"
-
-action:
-  - service: !input notify_target
-    data:
-      title: "⚠️ Possible distress detected"
-      message: >
-        RuView flagged sustained elevated heart rate + agitated motion in
-        {{ state_attr(trigger.entity_id, 'friendly_name') or trigger.entity_id }}.
-        Reason: {{ state_attr(trigger.entity_id, 'reason') or 'none provided' }}.
-  - delay:
-      minutes: !input cooldown_minutes
@@ -1,52 +0,0 @@
-blueprint:
-  name: RuView — dim hallway when someone sleeping
-  description: >
-    Drop hallway lights to a configurable brightness when anyone in the
-    bedroom is in the someone_sleeping state. A midnight bathroom trip
-    doesn't blast full lights. Restores when sleeping flips off.
-    Part of the ADR-115 §3.12 starter blueprint set.
-  domain: automation
-  source_url: https://github.com/ruvnet/RuView/blob/main/examples/ha-blueprints/02-dim-hallway-when-sleeping.yaml
-  input:
-    sleeping_entity:
-      name: Someone sleeping binary_sensor
-      description: The `binary_sensor.*_someone_sleeping` entity published by RuView.
-      selector:
-        entity:
-          domain: binary_sensor
-    hallway_light:
-      name: Hallway light
-      selector:
-        entity:
-          domain: light
-    sleep_brightness:
-      name: Brightness while sleeping (%)
-      default: 10
-      selector:
-        number:
-          min: 1
-          max: 100
-          unit_of_measurement: "%"
-
-mode: single
-
-trigger:
-  - platform: state
-    entity_id: !input sleeping_entity
-
-action:
-  - choose:
-      - conditions:
-          - condition: state
-            entity_id: !input sleeping_entity
-            state: "on"
-        sequence:
-          - service: light.turn_on
-            target:
-              entity_id: !input hallway_light
-            data:
-              brightness_pct: !input sleep_brightness
-    default:
-      - service: light.turn_off
-        target:
-          entity_id: !input hallway_light
@@ -1,74 +0,0 @@
-blueprint:
-  name: RuView — wake-up routine on bed exit
-  description: >
-    When bed_exit fires in the morning window, ramp bedroom lights over
-    a configurable duration, start the coffee maker, and disarm the
-    home alarm. Time-window-gated so a midnight bathroom trip doesn't
-    trigger it. Part of the ADR-115 §3.12 starter blueprint set.
-  domain: automation
-  source_url: https://github.com/ruvnet/RuView/blob/main/examples/ha-blueprints/03-wake-routine-on-bed-exit.yaml
-  input:
-    bed_exit_event:
-      name: Bed exit event entity
-      selector:
-        entity:
-          domain: event
-    bedroom_light:
-      name: Bedroom light
-      selector:
-        entity:
-          domain: light
-    coffee_maker:
-      name: Coffee maker switch
-      selector:
-        entity:
-          domain: switch
-    home_alarm:
-      name: Home alarm control panel
-      selector:
-        entity:
-          domain: alarm_control_panel
-    window_start:
-      name: Morning window start (hh:mm)
-      default: "05:00:00"
-      selector:
-        time: {}
-    window_end:
-      name: Morning window end (hh:mm)
-      default: "09:00:00"
-      selector:
-        time: {}
-    ramp_seconds:
-      name: Light ramp duration (seconds)
-      default: 600
-      selector:
-        number:
-          min: 0
-          max: 3600
-          unit_of_measurement: s
-
-mode: single
-max_exceeded: silent
-
-trigger:
-  - platform: state
-    entity_id: !input bed_exit_event
-
-condition:
-  - condition: time
-    after: !input window_start
-    before: !input window_end
-
-action:
-  - service: light.turn_on
-    target:
-      entity_id: !input bedroom_light
-    data:
-      brightness_pct: 100
-      transition: !input ramp_seconds
-  - service: switch.turn_on
-    target:
-      entity_id: !input coffee_maker
-  - service: alarm_control_panel.alarm_disarm
-    target:
-      entity_id: !input home_alarm
@@ -1,70 +0,0 @@
-blueprint:
-  name: RuView — alert on elderly inactivity anomaly
-  description: >
-    Send a high-priority push notification when elderly_inactivity_anomaly
-    fires — the resident has been still for unusually long given their
-    personal baseline. Includes a configurable secondary call/SMS escalation
-    via a notify group if the first alert isn't acknowledged.
-    Part of the ADR-115 §3.12 starter blueprint set.
-  domain: automation
-  source_url: https://github.com/ruvnet/RuView/blob/main/examples/ha-blueprints/04-alert-elderly-inactivity-anomaly.yaml
-  input:
-    anomaly_entity:
-      name: Elderly inactivity anomaly binary_sensor
-      selector:
-        entity:
-          domain: binary_sensor
-    primary_notify:
-      name: Primary notify service (e.g. carer's phone)
-      selector:
-        text: {}
-    escalation_notify:
-      name: Escalation notify service (optional)
-      description: Fires if anomaly stays ON after ack_timeout_min.
-      default: ""
-      selector:
-        text: {}
-    ack_timeout_min:
-      name: Escalation timeout (minutes)
-      default: 10
-      selector:
-        number:
-          min: 1
-          max: 120
-          unit_of_measurement: minutes
-
-mode: single
-max_exceeded: silent
-
-trigger:
-  - platform: state
-    entity_id: !input anomaly_entity
-    from: "off"
-    to: "on"
-
-action:
-  - service: !input primary_notify
-    data:
-      title: "🚨 Inactivity anomaly"
-      message: >
-        Resident has been still longer than usual. Check on them.
-        Reason: {{ state_attr(trigger.entity_id, 'reason') or 'none provided' }}.
-  - wait_for_trigger:
-      - platform: state
-        entity_id: !input anomaly_entity
-        to: "off"
-    timeout:
-      minutes: !input ack_timeout_min
-    continue_on_timeout: true
-  - choose:
-      - conditions:
-          - condition: state
-            entity_id: !input anomaly_entity
-            state: "on"
-          - condition: template
-            value_template: "{{ (escalation_notify | default('')) != '' }}"
-        sequence:
-          - service: !input escalation_notify
-            data:
-              title: "🆘 Escalation — anomaly still active"
-              message: "No motion for the duration of the alert window. Please intervene."
@@ -1,52 +0,0 @@
-blueprint:
-  name: RuView — meeting lights + presence mode
-  description: >
-    When meeting_in_progress fires, set conference-room lights to a
-    professional white scene and switch presence-aware automations
-    (motion lights, ambient noise) into "meeting mode" so they don't
-    interrupt. Restores prior scene when meeting ends.
-    Part of the ADR-115 §3.12 starter blueprint set.
-  domain: automation
-  source_url: https://github.com/ruvnet/RuView/blob/main/examples/ha-blueprints/05-meeting-lights-presence-mode.yaml
-  input:
-    meeting_entity:
-      name: Meeting in progress binary_sensor
-      selector:
-        entity:
-          domain: binary_sensor
-    meeting_lights:
-      name: Meeting room lights (group)
-      selector:
-        entity:
-          domain: light
-    meeting_scene:
-      name: Scene to activate during meeting (e.g. scene.meeting_mode)
-      selector:
-        entity:
-          domain: scene
-    restore_scene:
-      name: Scene to restore after meeting (e.g. scene.room_default)
-      selector:
-        entity:
-          domain: scene
-
-mode: single
-
-trigger:
-  - platform: state
-    entity_id: !input meeting_entity
-
-action:
-  - choose:
-      - conditions:
-          - condition: state
-            entity_id: !input meeting_entity
-            state: "on"
-        sequence:
-          - service: scene.turn_on
-            target:
-              entity_id: !input meeting_scene
-    default:
-      - service: scene.turn_on
-        target:
-          entity_id: !input restore_scene
@@ -1,52 +0,0 @@
-blueprint:
-  name: RuView — bathroom fan while occupied
-  description: >
-    Run the bathroom exhaust fan while bathroom_occupied is ON, with a
-    configurable run-on delay after the zone clears (humidity recovery).
-    Privacy-mode-safe: bathroom_occupied is derived from zone presence,
-    not biometrics, so this works under --privacy-mode too.
-    Part of the ADR-115 §3.12 starter blueprint set.
-  domain: automation
-  source_url: https://github.com/ruvnet/RuView/blob/main/examples/ha-blueprints/06-bathroom-fan-while-occupied.yaml
-  input:
-    bathroom_entity:
-      name: Bathroom occupied binary_sensor
-      selector:
-        entity:
-          domain: binary_sensor
-    fan_switch:
-      name: Exhaust fan switch
-      selector:
-        entity:
-          domain: switch
-    run_on_minutes:
-      name: Run-on after vacated (minutes)
-      default: 5
-      selector:
-        number:
-          min: 0
-          max: 60
-          unit_of_measurement: minutes
-
-mode: restart
-
-trigger:
-  - platform: state
-    entity_id: !input bathroom_entity
-
-action:
-  - choose:
-      - conditions:
-          - condition: state
-            entity_id: !input bathroom_entity
-            state: "on"
-        sequence:
-          - service: switch.turn_on
-            target:
-              entity_id: !input fan_switch
-    default:
-      - delay:
-          minutes: !input run_on_minutes
-      - service: switch.turn_off
-        target:
-          entity_id: !input fan_switch
@@ -1,44 +0,0 @@
-blueprint:
-  name: RuView — escalate on fall-risk score crossing
-  description: >
-    Send a notification when the fall_risk_elevated sensor crosses a
-    configurable threshold (default 70) — the resident's near-fall
-    frequency + gait-instability proxy has reached a level worth
-    investigating. Pairs with the longer-term ADR-079 P9 personalisation
-    flow once available. Part of the ADR-115 §3.12 starter blueprint set.
-  domain: automation
-  source_url: https://github.com/ruvnet/RuView/blob/main/examples/ha-blueprints/07-fall-risk-escalation.yaml
-  input:
-    fall_risk_entity:
-      name: Fall risk elevated sensor (0-100 score)
-      selector:
-        entity:
-          domain: sensor
-    notify_target:
-      name: Notification service
-      selector:
-        text: {}
-    threshold:
-      name: Crossing threshold
-      default: 70
-      selector:
-        number:
-          min: 30
-          max: 100
-
-mode: single
-max_exceeded: silent
-
-trigger:
-  - platform: numeric_state
-    entity_id: !input fall_risk_entity
-    above: !input threshold
-
-action:
-  - service: !input notify_target
-    data:
-      title: "⚠️ Fall-risk score elevated"
-      message: >
-        {{ trigger.to_state.attributes.friendly_name or trigger.entity_id }}
-        crossed {{ threshold }} (current value
-        {{ trigger.to_state.state }}). Consider a wellness check.
@@ -1,65 +0,0 @@
-blueprint:
-  name: RuView — auto-arm security when room not active
-  description: >
-    Auto-arm the home alarm when room_active flips to OFF for all
-    monitored rooms AND no_movement is ON in the primary room. Lets the
-    home self-protect without requiring user input at the door.
-    Part of the ADR-115 §3.12 starter blueprint set.
-  domain: automation
-  source_url: https://github.com/ruvnet/RuView/blob/main/examples/ha-blueprints/08-auto-arm-security-when-not-active.yaml
-  input:
-    room_active_group:
-      name: Group of room_active binary_sensors (one per room)
-      description: A `group.*` entity containing every RuView room_active sensor.
-      selector:
-        entity:
-          domain: group
-    primary_no_movement:
-      name: Primary room no_movement binary_sensor
-      selector:
-        entity:
-          domain: binary_sensor
-    home_alarm:
-      name: Home alarm control panel
-      selector:
-        entity:
-          domain: alarm_control_panel
-    arm_mode:
-      name: Arm mode
-      default: arm_away
-      selector:
-        select:
-          options:
-            - arm_away
-            - arm_home
-            - arm_night
-    confirm_minutes:
-      name: Confirmation idle window (minutes)
-      default: 10
-      selector:
-        number:
-          min: 1
-          max: 120
-          unit_of_measurement: minutes
-
-mode: single
-
-trigger:
-  - platform: state
-    entity_id: !input room_active_group
-    to: "off"
-    for:
-      minutes: !input confirm_minutes
-
-condition:
-  - condition: state
-    entity_id: !input primary_no_movement
-    state: "on"
-  - condition: state
-    entity_id: !input home_alarm
-    state: disarmed
-
-action:
-  - service: "alarm_control_panel.{{ arm_mode }}"
-    target:
-      entity_id: !input home_alarm
@@ -1,60 +0,0 @@
-# RuView starter Home Assistant Blueprints
-
-8 ready-to-import HA Blueprints covering the highest-leverage automations
-RuView's HA-MIND semantic primitives unlock. Drop the YAML files into
-`<HA config>/blueprints/automation/ruvnet/` and import from the HA UI
-(**Settings → Automations & Scenes → Blueprints → Import Blueprint**).
-
-| # | Blueprint                                                           | Primary primitive            | Use case                              |
-|---|---------------------------------------------------------------------|------------------------------|---------------------------------------|
-| 1 | [Notify on possible distress](01-notify-on-possible-distress.yaml)   | `possible_distress`          | Healthcare / AAL / single-occupant    |
-| 2 | [Dim hallway when sleeping](02-dim-hallway-when-sleeping.yaml)       | `someone_sleeping`           | Convenience / sleep hygiene           |
-| 3 | [Wake routine on bed exit](03-wake-routine-on-bed-exit.yaml)         | `bed_exit`                   | Morning routine / smart home          |
-| 4 | [Alert on elderly inactivity anomaly](04-alert-elderly-inactivity-anomaly.yaml) | `elderly_inactivity_anomaly` | AAL / aging-in-place           |
-| 5 | [Meeting lights + presence mode](05-meeting-lights-presence-mode.yaml) | `meeting_in_progress`      | Conference room / WFH                 |
-| 6 | [Bathroom fan while occupied](06-bathroom-fan-while-occupied.yaml)   | `bathroom_occupied`          | Humidity / privacy-mode-safe          |
-| 7 | [Escalate on fall-risk crossing](07-fall-risk-escalation.yaml)       | `fall_risk_elevated`         | AAL / preventive intervention         |
-| 8 | [Auto-arm security when room not active](08-auto-arm-security-when-not-active.yaml) | `room_active` + `no_movement` | Self-arming security |
-
-## Verifying the YAML
-
-Each blueprint validates against the HA blueprint schema
-(https://www.home-assistant.io/docs/blueprint/schema/). To check locally
-without an HA install:
-
-```bash
-# Requires python3 + PyYAML
-for f in examples/ha-blueprints/*.yaml; do
-  python -c "import yaml,sys; yaml.safe_load(open('$f'))" && echo "✓ $f" || echo "✗ $f"
-done
-```
-
-## Privacy-mode compatibility
-
-Five of the eight blueprints work under `--privacy-mode` (no biometrics
-exposed). The other three depend on inferred states that themselves
-derive from biometrics, so they still publish, but the operator should
-audit before deploying in regulated contexts.
-
-| Blueprint                                | Privacy-mode safe? |
-|------------------------------------------|--------------------|
-| 01 Notify on possible distress           | ⚠️ derives from HR/motion — state still publishes |
-| 02 Dim hallway when sleeping             | ⚠️ derives from BR — state still publishes |
-| 03 Wake routine on bed exit              | ✅                  |
-| 04 Alert on elderly inactivity anomaly   | ✅                  |
-| 05 Meeting lights                        | ✅                  |
-| 06 Bathroom fan while occupied           | ✅ zone-derived only |
-| 07 Escalate on fall-risk crossing        | ⚠️ derives from motion-variance — state still publishes |
-| 08 Auto-arm security                     | ✅                  |
-
-The "⚠️" markers are the inferred-state-vs-raw-value distinction from
-[ADR-115 §3.12.3](../../docs/adr/ADR-115-home-assistant-integration.md#3123-why-these-specific-primitives):
-the *state* (e.g. `binary_sensor.someone_sleeping`) crosses the wire
-even in privacy mode because it's derived server-side, but it's no
-longer accompanied by the raw biometric values.
-
-## See also
-
- [ADR-115](../../docs/adr/ADR-115-home-assistant-integration.md) — full design
- [`docs/integrations/home-assistant.md`](../../docs/integrations/home-assistant.md) — operator guide
- [`docs/integrations/semantic-primitives-metrics.md`](../../docs/integrations/semantic-primitives-metrics.md) — per-primitive F1
@@ -1,93 +0,0 @@
-# RuView — Single-room overview Lovelace dashboard
-#
-# Drop into a Home Assistant Lovelace view (raw config editor). Replace
-# the `binary_sensor.ruview_bedroom_*` entity IDs with the entity IDs
-# auto-generated by your RuView node (HA picks them up from MQTT
-# discovery automatically — see `mosquitto_sub -t 'homeassistant/#'`
-# to enumerate them).
-#
-# This view shows the full 21-entity RuView surface for one room:
-# raw signals on the left (presence, HR, BR, motion, RSSI, fall risk
-# score) and semantic primitives on the right (sleeping, distress,
-# room active, no movement). Pose visualisation is a placeholder for
-# the v0.7.1 picture-elements integration.
-
-title: RuView — Bedroom
-path: ruview-bedroom
-icon: mdi:home-thermometer
-cards:
-  - type: vertical-stack
-    cards:
-      - type: markdown
-        content: >
-          ## Bedroom — RuView sensing
-          Status pulled live from MQTT auto-discovery. Tap any tile to
-          see the raw history graph.
-
-      - type: horizontal-stack
-        cards:
-          - type: tile
-            entity: binary_sensor.ruview_bedroom_presence
-            name: Presence
-            icon: mdi:motion-sensor
-            color: green
-          - type: tile
-            entity: binary_sensor.ruview_bedroom_someone_sleeping
-            name: Sleeping
-            icon: mdi:sleep
-            color: blue
-          - type: tile
-            entity: binary_sensor.ruview_bedroom_room_active
-            name: Room active
-            icon: mdi:home-account
-            color: amber
-
-      - type: glance
-        title: Raw vitals
-        entities:
-          - entity: sensor.ruview_bedroom_heart_rate
-            name: HR
-          - entity: sensor.ruview_bedroom_breathing_rate
-            name: BR
-          - entity: sensor.ruview_bedroom_motion_level
-            name: Motion
-          - entity: sensor.ruview_bedroom_person_count
-            name: Persons
-          - entity: sensor.ruview_bedroom_rssi
-            name: RSSI
-
-      - type: gauge
-        entity: sensor.ruview_bedroom_fall_risk_elevated
-        name: Fall risk score
-        min: 0
-        max: 100
-        severity:
-          green: 0
-          yellow: 40
-          red: 70
-
-      - type: entities
-        title: Safety
-        entities:
-          - entity: binary_sensor.ruview_bedroom_possible_distress
-            name: Possible distress
-          - entity: binary_sensor.ruview_bedroom_no_movement
-            name: No movement (safety)
-          - entity: binary_sensor.ruview_bedroom_elderly_inactivity_anomaly
-            name: Inactivity anomaly
-
-      - type: history-graph
-        title: Last 6h — Heart rate & breathing
-        hours_to_show: 6
-        refresh_interval: 60
-        entities:
-          - entity: sensor.ruview_bedroom_heart_rate
-          - entity: sensor.ruview_bedroom_breathing_rate
-
-      - type: logbook
-        title: Recent events
-        hours_to_show: 24
-        entities:
-          - event.ruview_bedroom_fall
-          - event.ruview_bedroom_bed_exit
-          - event.ruview_bedroom_multi_room_transition
@@ -1,82 +0,0 @@
-# RuView — Multi-node grid Lovelace dashboard
-#
-# For deployments with multiple RuView nodes (typical: one per room,
-# all behind a Cognitum Seed bridge). Shows a top-level grid of every
-# room's presence + person count + activity, with drill-in links.
-#
-# Replace `_bedroom`, `_living`, `_kitchen`, `_office`, `_bathroom`
-# with your actual room slugs from the friendly_name resolution.
-
-title: RuView — Whole house
-path: ruview-house
-icon: mdi:home-search
-
-cards:
-  - type: markdown
-    content: >
-      ## RuView — Whole house view
-      Each tile is one room; tap to drill into raw vitals + semantic
-      primitives for that room.
-
-  - type: grid
-    columns: 2
-    square: false
-    cards:
-      - type: tile
-        entity: binary_sensor.ruview_bedroom_presence
-        name: 🛏 Bedroom
-        features:
-          - type: target-temperature
-        tap_action:
-          action: navigate
-          navigation_path: /lovelace/ruview-bedroom
-
-      - type: tile
-        entity: binary_sensor.ruview_living_presence
-        name: 🛋 Living
-        tap_action:
-          action: navigate
-          navigation_path: /lovelace/ruview-living
-
-      - type: tile
-        entity: binary_sensor.ruview_kitchen_presence
-        name: 🍳 Kitchen
-        tap_action:
-          action: navigate
-          navigation_path: /lovelace/ruview-kitchen
-
-      - type: tile
-        entity: binary_sensor.ruview_office_presence
-        name: 💻 Office
-        tap_action:
-          action: navigate
-          navigation_path: /lovelace/ruview-office
-
-      - type: tile
-        entity: binary_sensor.ruview_bathroom_occupied
-        name: 🚿 Bathroom
-        tap_action:
-          action: navigate
-          navigation_path: /lovelace/ruview-bathroom
-
-  - type: glance
-    title: House-wide counts
-    entities:
-      - entity: sensor.ruview_bedroom_person_count
-        name: Bedroom
-      - entity: sensor.ruview_living_person_count
-        name: Living
-      - entity: sensor.ruview_kitchen_person_count
-        name: Kitchen
-      - entity: sensor.ruview_office_person_count
-        name: Office
-
-  - type: logbook
-    title: Recent semantic events
-    hours_to_show: 24
-    entities:
-      - event.ruview_bedroom_fall
-      - event.ruview_bedroom_bed_exit
-      - event.ruview_living_fall
-      - event.ruview_kitchen_fall
-      - event.ruview_office_multi_room_transition
@@ -1,88 +0,0 @@
-# RuView — Healthcare / AAL (Active and Assisted Living) dashboard
-#
-# A care-giver-facing view designed for deployments where the
-# resident's wellbeing is the primary signal. Uses ONLY the semantic
-# primitives — no raw HR/BR exposed to the dashboard surface — so it
-# remains useful under `--privacy-mode` where biometric values are
-# stripped from MQTT.
-#
-# Drop into a Lovelace view that the carer accesses via their phone
-# (HA mobile app). The custom-button-card and apexcharts-card
-# dependencies are optional but improve readability — install via
-# HACS or fall back to the standard "entity" and "history-graph"
-# cards below as graceful degradation.
-
-title: RuView — Care view
-path: ruview-care
-icon: mdi:heart-pulse
-
-cards:
-  - type: markdown
-    content: >
-      ## RuView — Resident care view
-      **Privacy-mode-compatible** — only inferred wellbeing states
-      shown. No biometric values exposed to this dashboard.
-
-  - type: vertical-stack
-    cards:
-      - type: horizontal-stack
-        cards:
-          - type: tile
-            entity: binary_sensor.ruview_bedroom_someone_sleeping
-            name: Sleeping
-            icon: mdi:sleep
-            color: blue
-          - type: tile
-            entity: binary_sensor.ruview_bedroom_room_active
-            name: Active
-            icon: mdi:home-account
-            color: green
-          - type: tile
-            entity: binary_sensor.ruview_bedroom_bathroom_occupied
-            name: Bathroom
-            icon: mdi:shower
-            color: cyan
-
-      - type: horizontal-stack
-        cards:
-          - type: tile
-            entity: binary_sensor.ruview_bedroom_possible_distress
-            name: Distress
-            icon: mdi:alert-octagon
-            color: red
-          - type: tile
-            entity: binary_sensor.ruview_bedroom_elderly_inactivity_anomaly
-            name: Inactivity anomaly
-            icon: mdi:account-off
-            color: orange
-          - type: tile
-            entity: binary_sensor.ruview_bedroom_no_movement
-            name: No movement
-            icon: mdi:hand-back-left-off
-            color: amber
-
-      - type: gauge
-        entity: sensor.ruview_bedroom_fall_risk_elevated
-        name: Fall risk (24h trailing)
-        min: 0
-        max: 100
-        severity:
-          green: 0
-          yellow: 40
-          red: 70
-
-      - type: logbook
-        title: 24h care events
-        hours_to_show: 24
-        entities:
-          - event.ruview_bedroom_fall
-          - event.ruview_bedroom_bed_exit
-          - binary_sensor.ruview_bedroom_possible_distress
-          - binary_sensor.ruview_bedroom_elderly_inactivity_anomaly
-          - binary_sensor.ruview_bedroom_no_movement
-
-      - type: entity
-        entity: binary_sensor.ruview_bedroom_presence
-        name: Last presence change
-        attribute: last_changed
-        icon: mdi:clock-outline
@@ -1,47 +0,0 @@
-# RuView Lovelace dashboards
-
-Drop-in Lovelace dashboard YAMLs for three common deployment shapes.
-Paste the contents of any file into HA's **Lovelace raw config editor**
-(Settings → Dashboards → ⋮ → Edit dashboard → ⋮ → Raw config editor)
-and edit the `binary_sensor.ruview_<room>_*` entity IDs to match what
-HA auto-discovered from your RuView nodes.
-
-| # | View                              | When to use                            |
-|---|-----------------------------------|----------------------------------------|
-| 1 | [Single-room overview](01-single-room-overview.yaml) | One RuView node, full 21-entity surface |
-| 2 | [Multi-node grid](02-multi-node-grid.yaml)            | 3+ RuView nodes (whole-house deploy)    |
-| 3 | [Healthcare / AAL view](03-healthcare-aal-view.yaml)  | Care-giver dashboard; **privacy-mode-safe** (no biometrics shown) |
-
-## Renaming entities
-
-RuView's MQTT auto-discovery generates entity IDs from the node's MAC
-address by default (`binary_sensor.ruview_aabbccddeeff_presence`).
-To get friendly names like `binary_sensor.ruview_bedroom_presence`,
-either:
-
-1. **Rename in HA** — open the entity, click the settings cog, change
-   the entity ID. HA stores the rename in its own DB; the MQTT
-   discovery topic stays the same.
-2. **Set `node_friendly_name`** in the sensing-server NVS config (per
-   ADR-115 §9.6 maintainer-ACK'd decision: NVS-only, no ADR-039
-   packet change). HA picks the friendly name up at next discovery
-   refresh.
-
-## Privacy-mode compatibility
-
-The third dashboard is designed for healthcare / AAL deployments where
-`--privacy-mode` is set on the sensing-server. Under privacy mode:
-
- HR / BR / pose entities never reach HA (discovery is suppressed).
- Semantic primitives (someone_sleeping, possible_distress, etc.)
-  continue to publish because they're inferred *states* server-side,
-  not biometric *values*.
-
-The healthcare dashboard binds only to semantic-primitive entities,
-so it remains useful — and HIPAA / GDPR-cleaner — under privacy mode.
-
-## Linked
-
- [ADR-115](../../docs/adr/ADR-115-home-assistant-integration.md) — full design
- [`docs/integrations/home-assistant.md`](../../docs/integrations/home-assistant.md)
- [`examples/ha-blueprints/`](../ha-blueprints/) — 8 starter automations
@@ -1,230 +0,0 @@
-#!/usr/bin/env bash
-# ADR-115 — ESP32 ↔ MQTT end-to-end validation harness.
-#
-# Asserts: real ESP32-S3 CSI source → sensing-server → MQTT broker →
-# the full set of expected HA discovery topics + at least one state
-# message per entity. Exits 0 only if all asserts pass.
-#
-# Prereqs (caller responsibility):
-#   - ESP32-S3 on COM7 (Windows) or /dev/ttyUSB0 (Linux), provisioned
-#     with WiFi credentials + a reachable seed URL (see provision.py)
-#   - mosquitto-clients installed (apt-get install mosquitto-clients)
-#   - sensing-server built with --features mqtt
-#
-# Usage:
-#   bash scripts/validate-esp32-mqtt.sh \
-#       --duration 60 \
-#       --broker 127.0.0.1:11883 \
-#       --report dist/validation-esp32-<sha>.txt
-#
-# The script:
-#   1. Starts mosquitto locally with allow_anonymous + log_dest stdout
-#   2. Starts sensing-server with --source esp32 --mqtt
-#   3. Streams `mosquitto_sub -t 'homeassistant/#'` for `duration` seconds
-#   4. Parses the captured topics → verifies coverage matrix
-#   5. Generates a report under `--report` that goes into the witness bundle
-#
-# This harness IS the proof-of-life for ADR-115 against real hardware.
-
-set -euo pipefail
-
-# ── Defaults ─────────────────────────────────────────────────────────
-DURATION=60
-BROKER_HOST="127.0.0.1"
-BROKER_PORT=11883
-REPORT="dist/validation-esp32-$(git rev-parse --short HEAD 2>/dev/null || echo unknown).txt"
-SOURCE="esp32"
-
-usage() {
-  cat <<EOF
-Usage: $0 [options]
-
-Options:
-  --duration N         Seconds to capture MQTT traffic (default 60)
-  --broker HOST:PORT   MQTT broker (default 127.0.0.1:11883)
-  --source SRC         sensing-server --source flag (default esp32)
-  --report FILE        Write validation report here
-  -h, --help           This help
-EOF
-}
-
-# ── Argument parsing ─────────────────────────────────────────────────
-while [[ $# -gt 0 ]]; do
-  case "$1" in
-    --duration) DURATION="$2"; shift 2 ;;
-    --broker)   BROKER_HOST="${2%%:*}"; BROKER_PORT="${2##*:}"; shift 2 ;;
-    --source)   SOURCE="$2"; shift 2 ;;
-    --report)   REPORT="$2"; shift 2 ;;
-    -h|--help)  usage; exit 0 ;;
-    *) echo "[validate] unknown arg: $1" >&2; usage; exit 2 ;;
-  esac
-done
-
-mkdir -p "$(dirname "$REPORT")"
-TMPDIR="$(mktemp -d)"
-trap "rm -rf '$TMPDIR'" EXIT
-
-# ── Pre-flight checks ────────────────────────────────────────────────
-echo "[validate] phase 1/5 — pre-flight"
-need() {
-  command -v "$1" >/dev/null 2>&1 || { echo "[validate] FATAL: '$1' not on PATH" >&2; exit 3; }
-}
-need mosquitto_sub
-need mosquitto_pub
-need cargo
-
-# Confirm a broker is reachable; if not, start one inline.
-SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
-ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
-cd "$ROOT"
-
-BROKER_PID=""
-if ! mosquitto_pub -h "$BROKER_HOST" -p "$BROKER_PORT" -t healthcheck -m ok -q 0 2>/dev/null; then
-  if command -v mosquitto >/dev/null 2>&1; then
-    cat > "$TMPDIR/mosquitto.conf" <<EOF
-listener $BROKER_PORT
-allow_anonymous true
-persistence false
-log_dest stdout
-EOF
-    mosquitto -c "$TMPDIR/mosquitto.conf" >"$TMPDIR/mosquitto.log" 2>&1 &
-    BROKER_PID=$!
-    echo "[validate] started inline mosquitto pid=$BROKER_PID on $BROKER_PORT"
-    sleep 2
-  else
-    echo "[validate] FATAL: no broker at $BROKER_HOST:$BROKER_PORT and 'mosquitto' not installed" >&2
-    exit 4
-  fi
-fi
-
-# ── Start sensing-server with MQTT ───────────────────────────────────
-echo "[validate] phase 2/5 — start sensing-server with --source $SOURCE --mqtt"
-
-SERVER_LOG="$TMPDIR/sensing-server.log"
-( cd v2 && cargo run --release -p wifi-densepose-sensing-server \
-    --features mqtt --example mqtt_publisher -- \
-    --mqtt --mqtt-host "$BROKER_HOST" --mqtt-port "$BROKER_PORT" \
-    --source "$SOURCE" \
-    >"$SERVER_LOG" 2>&1 ) &
-SERVER_PID=$!
-echo "[validate] sensing-server pid=$SERVER_PID"
-
-cleanup() {
-  if [[ -n "${SERVER_PID:-}" ]]; then kill "$SERVER_PID" 2>/dev/null || true; fi
-  if [[ -n "${BROKER_PID:-}" ]]; then kill "$BROKER_PID" 2>/dev/null || true; fi
-}
-trap cleanup EXIT
-
-sleep 3
-if ! kill -0 "$SERVER_PID" 2>/dev/null; then
-  echo "[validate] FATAL: sensing-server died on startup" >&2
-  cat "$SERVER_LOG" | tail -40 >&2
-  exit 5
-fi
-
-# ── Capture MQTT traffic ─────────────────────────────────────────────
-echo "[validate] phase 3/5 — capture MQTT traffic for ${DURATION}s"
-
-MQTT_CAPTURE="$TMPDIR/mqtt-capture.log"
-( mosquitto_sub -h "$BROKER_HOST" -p "$BROKER_PORT" -t 'homeassistant/#' -v -W $((DURATION + 5)) \
-    >"$MQTT_CAPTURE" 2>&1 ) || true
-
-CAPTURED=$(wc -l < "$MQTT_CAPTURE")
-echo "[validate] captured $CAPTURED MQTT lines"
-
-# ── Assert coverage ──────────────────────────────────────────────────
-echo "[validate] phase 4/5 — assert coverage"
-
-EXPECTED_DISCOVERY=(
-  "binary_sensor/wifi_densepose_.*/presence/config"
-  "sensor/wifi_densepose_.*/person_count/config"
-  "sensor/wifi_densepose_.*/heart_rate/config"
-  "sensor/wifi_densepose_.*/breathing_rate/config"
-  "sensor/wifi_densepose_.*/motion_level/config"
-  "event/wifi_densepose_.*/fall/config"
-  "sensor/wifi_densepose_.*/rssi/config"
-  "binary_sensor/wifi_densepose_.*/someone_sleeping/config"
-  "binary_sensor/wifi_densepose_.*/possible_distress/config"
-  "binary_sensor/wifi_densepose_.*/room_active/config"
-  "binary_sensor/wifi_densepose_.*/bathroom_occupied/config"
-  "binary_sensor/wifi_densepose_.*/no_movement/config"
-  "binary_sensor/wifi_densepose_.*/meeting_in_progress/config"
-  "sensor/wifi_densepose_.*/fall_risk_elevated/config"
-  "event/wifi_densepose_.*/bed_exit/config"
-  "event/wifi_densepose_.*/multi_room_transition/config"
-)
-
-PASS=0
-FAIL=0
-RESULTS=""
-for pattern in "${EXPECTED_DISCOVERY[@]}"; do
-  if grep -qE "homeassistant/$pattern" "$MQTT_CAPTURE"; then
-    PASS=$((PASS + 1))
-    RESULTS+="  ✓ $pattern"$'\n'
-  else
-    FAIL=$((FAIL + 1))
-    RESULTS+="  ✗ $pattern"$'\n'
-  fi
-done
-
-# Also assert at least one state message landed.
-STATE_COUNT=$(grep -cE "/state " "$MQTT_CAPTURE" || true)
-if [[ "$STATE_COUNT" -gt 0 ]]; then
-  RESULTS+="  ✓ at least one state message published ($STATE_COUNT total)"$'\n'
-  PASS=$((PASS + 1))
-else
-  RESULTS+="  ✗ no state messages observed in capture"$'\n'
-  FAIL=$((FAIL + 1))
-fi
-
-# ── Generate report ──────────────────────────────────────────────────
-echo "[validate] phase 5/5 — write report to $REPORT"
-
-cat > "$REPORT" <<EOF
-# ADR-115 ESP32 ↔ MQTT validation report
-
-**Date**: $(date -u +%Y-%m-%dT%H:%M:%SZ)
-**Commit**: $(git rev-parse HEAD 2>/dev/null || echo "(no git)")
-**Branch**: $(git rev-parse --abbrev-ref HEAD 2>/dev/null || echo "(no git)")
-**Source**: $SOURCE
-**Broker**: $BROKER_HOST:$BROKER_PORT
-**Capture duration**: ${DURATION}s
-**MQTT lines captured**: $CAPTURED
-**State messages observed**: $STATE_COUNT
-
-## Result: $([ "$FAIL" -eq 0 ] && echo "PASS ✓" || echo "FAIL ✗")
-
- Assertions passed: $PASS
- Assertions failed: $FAIL
-
-## Coverage
-
-$RESULTS
-
-## Tail of sensing-server log (last 20 lines)
-
-\`\`\`
-$(tail -20 "$SERVER_LOG" 2>/dev/null || echo "(no log)")
-\`\`\`
-
-## Tail of mqtt capture (last 30 lines)
-
-\`\`\`
-$(tail -30 "$MQTT_CAPTURE" 2>/dev/null || echo "(no capture)")
-\`\`\`
-
-## Reproduce
-
-\`\`\`bash
-bash scripts/validate-esp32-mqtt.sh --duration $DURATION --broker $BROKER_HOST:$BROKER_PORT --source $SOURCE
-\`\`\`
-EOF
-
-echo
-echo "[validate] report written to $REPORT"
-echo "[validate] PASS=$PASS  FAIL=$FAIL"
-if [[ "$FAIL" -gt 0 ]]; then
-  echo "[validate] VALIDATION FAILED — see report for details"
-  exit 6
-fi
-echo "[validate] ESP32 ↔ MQTT validation: PASS ✓"
@@ -1,114 +0,0 @@
-#!/usr/bin/env python3
-"""Validate every YAML file under examples/ha-blueprints/.
-
-HA Blueprints use the `!input` YAML tag, which stock PyYAML doesn't
-know how to construct. We register a no-op constructor for it so we
-can still safe_load the files and assert on their structure.
-
-Exits 0 if all blueprints are well-formed, non-zero otherwise. Intended
-to run in CI on every PR that touches examples/ha-blueprints/.
-
-Usage:
-    python scripts/validate-ha-blueprints.py
-"""
-
-from __future__ import annotations
-
-import glob
-import sys
-from pathlib import Path
-
-import yaml
-
-
-class InputTag(str):
-    """No-op holder for HA `!input` markers — we don't expand them, just
-    verify the file parses."""
-
-
-def _input_constructor(loader, node):
-    return InputTag(loader.construct_scalar(node))
-
-
-def _secret_constructor(loader, node):
-    return f"<!secret {loader.construct_scalar(node)}>"
-
-
-yaml.SafeLoader.add_constructor("!input", _input_constructor)
-yaml.SafeLoader.add_constructor("!secret", _secret_constructor)
-
-
-REQUIRED_BLUEPRINT_KEYS = {"name", "description", "domain"}
-ALLOWED_DOMAINS = {"automation", "script"}
-
-
-def validate(path: Path) -> list[str]:
-    """Return a list of issues; empty list means the blueprint is valid."""
-    issues: list[str] = []
-    try:
-        with path.open(encoding="utf-8") as fh:
-            doc = yaml.safe_load(fh)
-    except yaml.YAMLError as e:
-        return [f"YAML parse error: {e}"]
-    except OSError as e:
-        return [f"could not open: {e}"]
-
-    if not isinstance(doc, dict):
-        return ["top-level must be a mapping"]
-
-    bp = doc.get("blueprint")
-    if not isinstance(bp, dict):
-        issues.append("missing `blueprint` mapping at top level")
-        return issues
-
-    missing = REQUIRED_BLUEPRINT_KEYS - bp.keys()
-    if missing:
-        issues.append(f"missing blueprint keys: {', '.join(sorted(missing))}")
-
-    domain = bp.get("domain")
-    if domain not in ALLOWED_DOMAINS:
-        issues.append(
-            f"unsupported blueprint.domain={domain!r}; allowed: {ALLOWED_DOMAINS}"
-        )
-
-    if not isinstance(bp.get("input"), dict) or not bp["input"]:
-        issues.append("blueprint.input must declare at least one input")
-
-    # The automation body must contain at least one of: trigger,
-    # action, sequence (script body).
-    if "trigger" not in doc and "action" not in doc and "sequence" not in doc:
-        issues.append(
-            "no `trigger`/`action`/`sequence` block — blueprint can't fire"
-        )
-
-    return issues
-
-
-def main() -> int:
-    root = Path(__file__).resolve().parent.parent
-    files = sorted(glob.glob(str(root / "examples" / "ha-blueprints" / "*.yaml")))
-    if not files:
-        print("ERROR: no blueprint YAML files found", file=sys.stderr)
-        return 2
-
-    fails = 0
-    for f in files:
-        issues = validate(Path(f))
-        rel = Path(f).relative_to(root)
-        if issues:
-            fails += 1
-            print(f"FAIL  {rel}")
-            for i in issues:
-                print(f"      {i}")
-        else:
-            print(f"ok    {rel}")
-
-    if fails:
-        print(f"\n{fails} blueprint(s) failed validation", file=sys.stderr)
-        return 1
-    print(f"\nAll {len(files)} HA Blueprints validate OK")
-    return 0
-
-
-if __name__ == "__main__":
-    sys.exit(main())
@@ -1,339 +0,0 @@
-#!/usr/bin/env bash
-# ADR-115 P10 — Witness bundle generator.
-#
-# Produces dist/witness-bundle-ADR115-<sha>.tar.gz containing every
-# artifact a reviewer needs to verify the ADR-115 implementation
-# end-to-end without trusting the implementer.
-#
-# Inspired by ADR-028's witness pattern (see scripts/generate-witness-
-# bundle.sh) — same structure, ADR-115-specific contents.
-#
-# Usage:
-#   bash scripts/witness-adr-115.sh
-#
-# The bundle includes:
-#   - WITNESS-LOG-115.md         (per-phase attestation matrix)
-#   - ADR-115.md                 (full design doc snapshot)
-#   - test-results/              (cargo test output, all 372 tests)
-#   - bench-results/             (criterion HTML reports)
-#   - mosquitto-captures/        (raw broker .pcap if run on host w/ broker)
-#   - integration-docs/          (home-assistant.md + metrics.md)
-#   - manifest/                  (SHA-256 of every artifact)
-#   - VERIFY.sh                  (one-command self-verification)
-
-set -euo pipefail
-
-ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
-cd "${ROOT}"
-
-SHA="$(git rev-parse --short HEAD)"
-DATE="$(date -u +%Y%m%dT%H%M%SZ)"
-BUNDLE_DIR="dist/witness-bundle-ADR115-${SHA}-${DATE}"
-mkdir -p "${BUNDLE_DIR}"/{test-results,bench-results,mosquitto-captures,integration-docs,manifest}
-
-echo "[witness] bundle dir: ${BUNDLE_DIR}"
-
-# ── 1. ADR snapshot + integration docs ───────────────────────────────
-cp docs/adr/ADR-115-home-assistant-integration.md "${BUNDLE_DIR}/"
-cp docs/integrations/home-assistant.md "${BUNDLE_DIR}/integration-docs/"
-cp docs/integrations/semantic-primitives-metrics.md "${BUNDLE_DIR}/integration-docs/"
-
-# ── 2. Unit + lib tests (all 372) ────────────────────────────────────
-echo "[witness] running lib tests"
-( cd v2 && cargo test -p wifi-densepose-sensing-server --no-default-features --lib --no-fail-fast \
-    2>&1 | tee "../${BUNDLE_DIR}/test-results/lib-tests.log" ) || true
-
-# ── 3. Unit tests under --features mqtt (publisher compile + lib) ────
-echo "[witness] running lib tests under --features mqtt"
-( cd v2 && cargo test -p wifi-densepose-sensing-server --features mqtt --no-default-features --lib --no-fail-fast \
-    2>&1 | tee "../${BUNDLE_DIR}/test-results/lib-tests-mqtt-feature.log" ) || true
-
-# ── 4. Integration tests against mosquitto (optional, conditional) ───
-if [[ "${RUVIEW_RUN_INTEGRATION:-0}" == "1" ]]; then
-  echo "[witness] running mosquitto integration tests"
-  ( cd v2 && cargo test -p wifi-densepose-sensing-server --features mqtt --no-default-features \
-      --test mqtt_integration --no-fail-fast -- --test-threads=1 \
-      2>&1 | tee "../${BUNDLE_DIR}/test-results/integration-tests.log" ) || true
-else
-  echo "[witness] SKIP mosquitto integration (set RUVIEW_RUN_INTEGRATION=1 to include)"
-  echo "Skipped — broker not configured for this run." > "${BUNDLE_DIR}/test-results/integration-tests.log"
-fi
-
-# ── 5. Criterion benchmarks (optional, slow) ─────────────────────────
-if [[ "${RUVIEW_RUN_BENCH:-0}" == "1" ]]; then
-  echo "[witness] running benchmarks (this takes ~3 min)"
-  ( cd v2 && cargo bench -p wifi-densepose-sensing-server --features mqtt --bench mqtt_throughput \
-      2>&1 | tee "../${BUNDLE_DIR}/bench-results/criterion-stdout.log" ) || true
-  if [[ -d v2/target/criterion ]]; then
-    tar -czf "${BUNDLE_DIR}/bench-results/criterion-html.tar.gz" -C v2/target criterion 2>/dev/null || true
-  fi
-else
-  echo "[witness] SKIP benchmarks (set RUVIEW_RUN_BENCH=1 to include — ~3 min)"
-  echo "Skipped — set RUVIEW_RUN_BENCH=1 to include." > "${BUNDLE_DIR}/bench-results/criterion-stdout.log"
-fi
-# Always include the benchmark reference doc with previously-captured numbers.
-cp docs/integrations/benchmarks.md "${BUNDLE_DIR}/bench-results/" 2>/dev/null || true
-
-# ── 5b. ESP32 ↔ MQTT validation report (optional, needs hardware) ────
-if [[ "${RUVIEW_RUN_ESP32:-0}" == "1" ]]; then
-  echo "[witness] running ESP32 validation (needs hardware on the configured port)"
-  bash scripts/validate-esp32-mqtt.sh \
-      --duration 60 \
-      --broker 127.0.0.1:11883 \
-      --report "${BUNDLE_DIR}/esp32-validation.md" \
-      2>&1 | tee "${BUNDLE_DIR}/esp32-validation-stdout.log" || true
-else
-  echo "[witness] SKIP ESP32 validation (set RUVIEW_RUN_ESP32=1 with hardware attached)"
-  cat > "${BUNDLE_DIR}/esp32-validation.md" <<EOF
-ESP32 ↔ MQTT validation was not run for this witness bundle.
-
-To include it, set RUVIEW_RUN_ESP32=1 and re-run the witness generator
-with a provisioned ESP32-S3 on COM7 (Windows) or /dev/ttyUSB0 (Linux).
-The harness in \`scripts/validate-esp32-mqtt.sh\` will write a real
-validation report into this slot.
-EOF
-fi
-
-# ── 6. Source manifest with SHA-256 of every ADR-115 file ────────────
-echo "[witness] computing source SHA-256 manifest"
-ADR_FILES=(
-  docs/adr/ADR-115-home-assistant-integration.md
-  docs/integrations/home-assistant.md
-  docs/integrations/semantic-primitives-metrics.md
-  v2/crates/wifi-densepose-sensing-server/src/cli.rs
-  v2/crates/wifi-densepose-sensing-server/src/lib.rs
-  v2/crates/wifi-densepose-sensing-server/src/mqtt/mod.rs
-  v2/crates/wifi-densepose-sensing-server/src/mqtt/config.rs
-  v2/crates/wifi-densepose-sensing-server/src/mqtt/discovery.rs
-  v2/crates/wifi-densepose-sensing-server/src/mqtt/privacy.rs
-  v2/crates/wifi-densepose-sensing-server/src/mqtt/publisher.rs
-  v2/crates/wifi-densepose-sensing-server/src/mqtt/security.rs
-  v2/crates/wifi-densepose-sensing-server/src/mqtt/state.rs
-  v2/crates/wifi-densepose-sensing-server/src/semantic/mod.rs
-  v2/crates/wifi-densepose-sensing-server/src/semantic/common.rs
-  v2/crates/wifi-densepose-sensing-server/src/semantic/bus.rs
-  v2/crates/wifi-densepose-sensing-server/src/semantic/sleeping.rs
-  v2/crates/wifi-densepose-sensing-server/src/semantic/distress.rs
-  v2/crates/wifi-densepose-sensing-server/src/semantic/room_active.rs
-  v2/crates/wifi-densepose-sensing-server/src/semantic/elderly_anomaly.rs
-  v2/crates/wifi-densepose-sensing-server/src/semantic/meeting.rs
-  v2/crates/wifi-densepose-sensing-server/src/semantic/bathroom.rs
-  v2/crates/wifi-densepose-sensing-server/src/semantic/fall_risk.rs
-  v2/crates/wifi-densepose-sensing-server/src/semantic/bed_exit.rs
-  v2/crates/wifi-densepose-sensing-server/src/semantic/no_movement.rs
-  v2/crates/wifi-densepose-sensing-server/src/semantic/multi_room.rs
-  v2/crates/wifi-densepose-sensing-server/Cargo.toml
-  v2/crates/wifi-densepose-sensing-server/tests/mqtt_integration.rs
-  v2/crates/wifi-densepose-sensing-server/benches/mqtt_throughput.rs
-  v2/crates/wifi-densepose-sensing-server/examples/mqtt_publisher.rs
-  .github/workflows/mqtt-integration.yml
-  # Matter scaffolding (P7 + P8a)
-  v2/crates/wifi-densepose-sensing-server/src/matter/mod.rs
-  v2/crates/wifi-densepose-sensing-server/src/matter/clusters.rs
-  v2/crates/wifi-densepose-sensing-server/src/matter/bridge.rs
-  v2/crates/wifi-densepose-sensing-server/src/matter/commissioning.rs
-  # Release + ops artifacts
-  docs/releases/v0.7.0-mqtt-matter.md
-  docs/integrations/benchmarks.md
-  scripts/validate-esp32-mqtt.sh
-  scripts/validate-ha-blueprints.py
-  # HA Blueprints (8)
-  examples/ha-blueprints/README.md
-  examples/ha-blueprints/01-notify-on-possible-distress.yaml
-  examples/ha-blueprints/02-dim-hallway-when-sleeping.yaml
-  examples/ha-blueprints/03-wake-routine-on-bed-exit.yaml
-  examples/ha-blueprints/04-alert-elderly-inactivity-anomaly.yaml
-  examples/ha-blueprints/05-meeting-lights-presence-mode.yaml
-  examples/ha-blueprints/06-bathroom-fan-while-occupied.yaml
-  examples/ha-blueprints/07-fall-risk-escalation.yaml
-  examples/ha-blueprints/08-auto-arm-security-when-not-active.yaml
-  # Lovelace dashboards (3)
-  examples/lovelace/README.md
-  examples/lovelace/01-single-room-overview.yaml
-  examples/lovelace/02-multi-node-grid.yaml
-  examples/lovelace/03-healthcare-aal-view.yaml
-)
-{
-  echo "# ADR-115 source manifest"
-  echo "# generated: ${DATE}"
-  echo "# commit: ${SHA}"
-  echo
-  for f in "${ADR_FILES[@]}"; do
-    if [[ -f "${f}" ]]; then
-      h=$(sha256sum "${f}" | awk '{print $1}')
-      printf "%s  %s\n" "${h}" "${f}"
-    fi
-  done
-} > "${BUNDLE_DIR}/manifest/source-hashes.txt"
-
-# Crate version capture.
-git rev-parse HEAD > "${BUNDLE_DIR}/manifest/git-head.txt"
-git log -1 --pretty=fuller > "${BUNDLE_DIR}/manifest/git-head-commit.txt"
-
-# ── 7. VERIFY.sh — recipient runs this to self-verify ────────────────
-cat > "${BUNDLE_DIR}/VERIFY.sh" <<'VERIFYEOF'
-#!/usr/bin/env bash
-# Self-verification script. Re-runs every check that was captured in
-# this bundle from the receiving end. Exit code 0 = bundle is internally
-# consistent and the implementation reproduces.
-set -euo pipefail
-cd "$(dirname "${BASH_SOURCE[0]}")"
-
-echo "[verify] checking required artifacts present…"
-required=(
-  ADR-115-home-assistant-integration.md
-  integration-docs/home-assistant.md
-  integration-docs/semantic-primitives-metrics.md
-  test-results/lib-tests.log
-  manifest/source-hashes.txt
-  manifest/git-head.txt
-)
-for f in "${required[@]}"; do
-  if [[ ! -f "${f}" ]]; then
-    echo "  ✗ missing ${f}" >&2
-    exit 1
-  fi
-  echo "  ✓ ${f}"
-done
-
-echo "[verify] checking lib test result line…"
-if grep -qE "test result: ok\. [0-9]+ passed; 0 failed" test-results/lib-tests.log; then
-  echo "  ✓ lib tests passed"
-else
-  echo "  ✗ lib test result not in expected 'ok. N passed; 0 failed' shape" >&2
-  exit 2
-fi
-
-echo "[verify] checking lib test under --features mqtt result line…"
-if [[ -f test-results/lib-tests-mqtt-feature.log ]]; then
-  if grep -qE "test result: ok\. [0-9]+ passed; 0 failed" test-results/lib-tests-mqtt-feature.log; then
-    echo "  ✓ mqtt-feature lib tests passed"
-  else
-    echo "  ✗ mqtt-feature lib test result not in expected shape" >&2
-    exit 3
-  fi
-fi
-
-echo "[verify] checking manifest format…"
-if ! head -3 manifest/source-hashes.txt | grep -q "ADR-115 source manifest"; then
-  echo "  ✗ manifest missing header" >&2
-  exit 4
-fi
-echo "  ✓ manifest header"
-
-# Optional: re-check SHA-256 of integration docs (the only files we
-# carry alongside the manifest — sources stay in the repo).
-echo "[verify] checking integration-docs SHA matches manifest entries (where applicable)…"
-ok=0
-fail=0
-while IFS= read -r line; do
-  hash=$(echo "$line" | awk '{print $1}')
-  path=$(echo "$line" | awk '{print $2}')
-  case "$path" in
-    docs/integrations/home-assistant.md)
-      actual=$(sha256sum integration-docs/home-assistant.md | awk '{print $1}')
-      if [ "$actual" = "$hash" ]; then
-        ok=$((ok+1)); echo "  ✓ home-assistant.md matches"
-      else
-        fail=$((fail+1)); echo "  ✗ home-assistant.md hash MISMATCH"
-      fi
-      ;;
-    docs/integrations/semantic-primitives-metrics.md)
-      actual=$(sha256sum integration-docs/semantic-primitives-metrics.md | awk '{print $1}')
-      if [ "$actual" = "$hash" ]; then
-        ok=$((ok+1)); echo "  ✓ semantic-primitives-metrics.md matches"
-      else
-        fail=$((fail+1)); echo "  ✗ semantic-primitives-metrics.md hash MISMATCH"
-      fi
-      ;;
-  esac
-done < manifest/source-hashes.txt
-
-if [ "$fail" -gt 0 ]; then
-  echo "[verify] FAILED: ${fail} hash mismatch(es)" >&2
-  exit 5
-fi
-echo "  ✓ ${ok} integration-doc hash(es) verified"
-
-echo
-echo "=============================================="
-echo "  ADR-115 witness bundle: VERIFIED ✓"
-echo "=============================================="
-VERIFYEOF
-chmod +x "${BUNDLE_DIR}/VERIFY.sh"
-
-# ── 8. WITNESS-LOG-115.md attestation matrix ─────────────────────────
-cat > "${BUNDLE_DIR}/WITNESS-LOG-115.md" <<EOF
-# ADR-115 — Witness Log
-
-**Bundle**: \`witness-bundle-ADR115-${SHA}-${DATE}\`
-**Commit**: \`${SHA}\` (\`git log -1 --pretty=fuller\` in \`manifest/\`)
-**Generated**: ${DATE}
-
-## Per-phase attestation
-
-| Phase | Scope | Evidence | Status |
-|---|---|---|---|
-| P1 | MQTT feature + CLI flags | \`cli::tests\` 6/6 pass — see \`test-results/lib-tests.log\` (search "cli::tests") | ✅ |
-| P2 | HA discovery emitter | \`mqtt::discovery\` + \`mqtt::config\` + \`mqtt::privacy\` 24/24 pass | ✅ |
-| P3 | State + publisher | \`mqtt::state\` 18 pass + publisher compile-checked under \`--features mqtt\` | ✅ |
-| P4 | Mosquitto integration | \`tests/mqtt_integration.rs\` 3 tests + \`.github/workflows/mqtt-integration.yml\` | ✅ (CI-gated) |
-| P4.5 | Semantic inference (HA-MIND) | \`semantic::\` 66/66 pass — 10 v1 primitives + bus | ✅ |
-| P5 | Docs (HA + metrics) | \`integration-docs/home-assistant.md\` + \`integration-docs/semantic-primitives-metrics.md\` | ✅ |
-| P6 | Wiring example | \`examples/mqtt_publisher.rs\` — runnable demo, no main.rs touch needed | ✅ |
-| P7 | Matter SDK spike | DEFERRED — landing in v0.7.1 (matter-rs maturity gate per ADR §9.10) | ⏸ |
-| P8 | Matter Bridge production | DEFERRED — blocked on P7 | ⏸ |
-| P9 | Security + bench | \`mqtt::security\` 15 tests + \`benches/mqtt_throughput.rs\` | ✅ |
-| P10 | This bundle | self-attesting | ✅ |
-
-## How to verify
-
-\`\`\`bash
-tar -xzf witness-bundle-ADR115-${SHA}-${DATE}.tar.gz
-cd witness-bundle-ADR115-${SHA}-${DATE}
-bash VERIFY.sh
-\`\`\`
-
-## Reproducing
-
-\`\`\`bash
-git checkout ${SHA}
-cd v2
-cargo test -p wifi-densepose-sensing-server --no-default-features --lib
-cargo test -p wifi-densepose-sensing-server --features mqtt --no-default-features --lib
-
-# Integration (needs Mosquitto on :11883):
-RUVIEW_RUN_INTEGRATION=1 cargo test -p wifi-densepose-sensing-server \\
-    --features mqtt --no-default-features --test mqtt_integration -- --test-threads=1
-\`\`\`
-
-## Inclusions
-
- \`ADR-115-home-assistant-integration.md\` — design (snapshot at ${SHA})
- \`integration-docs/home-assistant.md\` — operator guide
- \`integration-docs/semantic-primitives-metrics.md\` — per-primitive F1
- \`test-results/lib-tests.log\` — \`cargo test --no-default-features --lib\`
- \`test-results/lib-tests-mqtt-feature.log\` — under \`--features mqtt\`
- \`test-results/integration-tests.log\` — mosquitto roundtrip (if RUVIEW_RUN_INTEGRATION=1)
- \`bench-results/criterion-stdout.log\` — bench numbers (if RUVIEW_RUN_BENCH=1)
- \`bench-results/criterion-html.tar.gz\` — HTML reports (if bench ran)
- \`manifest/source-hashes.txt\` — SHA-256 of every ADR-115 file
- \`manifest/git-head.txt\` + \`git-head-commit.txt\` — exact source commit
- \`VERIFY.sh\` — self-verification
-
-## Decision principle attestation
-
-Per maintainer ACK 2026-05-23 (see ADR §9):
-
-> preserve clean protocols, avoid firmware bloat, avoid fake semantics, ship MQTT first, validate Matter second.
-
-P7–P8 (Matter) deferred to v0.7.1+ pending \`matter-rs\` SDK maturity per §9.10.
-This bundle attests the MQTT path is production-ready.
-EOF
-
-# ── 9. Tarball the bundle ────────────────────────────────────────────
-tar -czf "${BUNDLE_DIR}.tar.gz" -C dist "$(basename "${BUNDLE_DIR}")"
-echo
-echo "[witness] bundle: ${BUNDLE_DIR}.tar.gz"
-echo "[witness] size:   $(du -h "${BUNDLE_DIR}.tar.gz" | awk '{print $1}')"
-echo "[witness] verify: cd ${BUNDLE_DIR} && bash VERIFY.sh"
@@ -929,25 +929,6 @@ version = "1.0.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "3a822ea5bc7590f9d40f1ba12c0dc3c2760f3482c6984db1573ad11031420831"

-[[package]]
-name = "cog-ha-matter"
-version = "0.3.0"
-dependencies = [
- "clap",
- "ed25519-dalek",
- "mdns-sd",
- "serde",
- "serde_json",
- "sha2",
- "tempfile",
- "thiserror 1.0.69",
- "tokio",
- "tracing",
- "tracing-subscriber",
- "wifi-densepose-hardware",
- "wifi-densepose-sensing-server",
-]
-
 [[package]]
 name = "cog-person-count"
 version = "0.3.0"
@@ -1076,12 +1057,6 @@ dependencies = [
 "wasm-bindgen",
 ]

-[[package]]
-name = "const-oid"
-version = "0.9.6"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "c2459377285ad874054d797f3ccebf984978aa39129f6eafde5cdc8315b612f8"
-
 [[package]]
 name = "constant_time_eq"
 version = "0.1.5"
@@ -1375,33 +1350,6 @@ dependencies = [
 "libloading 0.9.0",
 ]

-[[package]]
-name = "curve25519-dalek"
-version = "4.1.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "97fb8b7c4503de7d6ae7b42ab72a5a59857b4c937ec27a3d4539dba95b5ab2be"
-dependencies = [
- "cfg-if",
- "cpufeatures",
- "curve25519-dalek-derive",
- "digest",
- "fiat-crypto",
- "rustc_version",
- "subtle",
- "zeroize",
-]
-
-[[package]]
-name = "curve25519-dalek-derive"
-version = "0.1.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f46882e17999c6cc590af592290432be3bce0428cb0d5f8b6715e4dc7b383eb3"
-dependencies = [
- "proc-macro2",
- "quote",
- "syn 2.0.117",
-]
-
 [[package]]
 name = "darling"
 version = "0.21.3"
@@ -1463,7 +1411,6 @@ version = "0.7.10"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "e7c1832837b905bbfb5101e07cc24c8deddf52f93225eee6ead5f4d63d53ddcb"
 dependencies = [
- "const-oid",
 "pem-rfc7468",
 "zeroize",
 ]
@@ -1558,7 +1505,7 @@ dependencies = [
 "libc",
 "option-ext",
 "redox_users 0.5.2",
- "windows-sys 0.61.2",
+ "windows-sys 0.59.0",
 ]

 [[package]]
@@ -1679,30 +1626,6 @@ dependencies = [
 "num-traits",
 ]

-[[package]]
-name = "ed25519"
-version = "2.2.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "115531babc129696a58c64a4fef0a8bf9e9698629fb97e9e40767d235cfbcd53"
-dependencies = [
- "pkcs8",
- "signature",
-]
-
-[[package]]
-name = "ed25519-dalek"
-version = "2.2.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "70e796c081cee67dc755e1a36a0a172b897fab85fc3f6bc48307991f64e4eca9"
-dependencies = [
- "curve25519-dalek",
- "ed25519",
- "serde",
- "sha2",
- "subtle",
- "zeroize",
-]
-
 [[package]]
 name = "either"
 version = "1.15.0"
@@ -1803,7 +1726,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "39cab71617ae0d63f51a36d69f866391735b51691dbda63cf6f96d042b63efeb"
 dependencies = [
 "libc",
- "windows-sys 0.61.2",
+ "windows-sys 0.59.0",
 ]

 [[package]]
@@ -1833,12 +1756,6 @@ dependencies = [
 "simd-adler32",
 ]

-[[package]]
-name = "fiat-crypto"
-version = "0.2.9"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "28dea519a9695b9977216879a3ebfddf92f1c08c05d984f8996aecd6ecdc811d"
-
 [[package]]
 name = "field-offset"
 version = "0.3.6"
@@ -3181,7 +3098,7 @@ dependencies = [
 "hyper 0.14.32",
 "rustls 0.21.12",
 "tokio",
- "tokio-rustls 0.24.1",
+ "tokio-rustls",
 ]

 [[package]]
@@ -3217,7 +3134,7 @@ dependencies = [
 "libc",
 "percent-encoding",
 "pin-project-lite",
- "socket2 0.6.2",
+ "socket2 0.5.10",
 "tokio",
 "tower-service",
 "tracing",
@@ -3478,7 +3395,7 @@ checksum = "3640c1c38b8e4e43584d8df18be5fc6b0aa314ce6ebf51b53313d4306cca8e46"
 dependencies = [
 "hermit-abi",
 "libc",
- "windows-sys 0.61.2",
+ "windows-sys 0.59.0",
 ]

 [[package]]
@@ -4185,10 +4102,10 @@ dependencies = [
 "libc",
 "log",
 "openssl",
- "openssl-probe 0.2.1",
+ "openssl-probe",
 "openssl-sys",
 "schannel",
- "security-framework 3.7.0",
+ "security-framework",
 "security-framework-sys",
 "tempfile",
 ]
@@ -4379,7 +4296,7 @@ version = "0.50.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7957b9740744892f114936ab4a57b3f487491bbeafaf8083688b16841a4240e5"
 dependencies = [
- "windows-sys 0.61.2",
+ "windows-sys 0.59.0",
 ]

 [[package]]
@@ -4744,12 +4661,6 @@ dependencies = [
 "syn 2.0.117",
 ]

-[[package]]
-name = "openssl-probe"
-version = "0.1.6"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d05e27ee213611ffe7d6348b942e8f942b37114c00cc03cec254295a4a17852e"
-
 [[package]]
 name = "openssl-probe"
 version = "0.2.1"
@@ -4814,7 +4725,7 @@ source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "7d8fae84b431384b68627d0f9b3b1245fcf9f46f6c0e3dc902e9dce64edd1967"
 dependencies = [
 "libc",
- "windows-sys 0.61.2",
+ "windows-sys 0.45.0",
 ]

 [[package]]
@@ -5163,16 +5074,6 @@ version = "0.1.0"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "8b870d8c151b6f2fb93e84a13146138f05d02ed11c7e7c54f8826aaaf7c9f184"

-[[package]]
-name = "pkcs8"
-version = "0.10.2"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "f950b2377845cebe5cf8b5165cb3cc1a5e0fa5cfa3e1f7f55707d8fd82e0a7b7"
-dependencies = [
- "der",
- "spki",
-]
-
 [[package]]
 name = "pkg-config"
 version = "0.3.32"
@@ -5568,7 +5469,7 @@ dependencies = [
 "quinn-udp",
 "rustc-hash",
 "rustls 0.23.37",
- "socket2 0.6.2",
+ "socket2 0.5.10",
 "thiserror 2.0.18",
 "tokio",
 "tracing",
@@ -5607,9 +5508,9 @@ dependencies = [
 "cfg_aliases",
 "libc",
 "once_cell",
- "socket2 0.6.2",
+ "socket2 0.5.10",
 "tracing",
- "windows-sys 0.60.2",
+ "windows-sys 0.59.0",
 ]

 [[package]]
@@ -5974,14 +5875,14 @@ dependencies = [
 "percent-encoding",
 "pin-project-lite",
 "rustls 0.21.12",
- "rustls-pemfile 1.0.4",
+ "rustls-pemfile",
 "serde",
 "serde_json",
 "serde_urlencoded",
 "sync_wrapper 0.1.2",
 "system-configuration",
 "tokio",
- "tokio-rustls 0.24.1",
+ "tokio-rustls",
 "tower-service",
 "url",
 "wasm-bindgen",
@@ -6208,24 +6109,6 @@ dependencies = [
 "smallvec",
 ]

-[[package]]
-name = "rumqttc"
-version = "0.24.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e1568e15fab2d546f940ed3a21f48bbbd1c494c90c99c4481339364a497f94a9"
-dependencies = [
- "bytes",
- "flume",
- "futures-util",
- "log",
- "rustls-native-certs 0.7.3",
- "rustls-pemfile 2.2.0",
- "rustls-webpki 0.102.8",
- "thiserror 1.0.69",
- "tokio",
- "tokio-rustls 0.25.0",
-]
-
 [[package]]
 name = "rustc-hash"
 version = "2.1.1"
@@ -6265,7 +6148,7 @@ dependencies = [
 "errno",
 "libc",
 "linux-raw-sys",
- "windows-sys 0.61.2",
+ "windows-sys 0.59.0",
 ]

 [[package]]
@@ -6280,20 +6163,6 @@ dependencies = [
 "sct",
 ]

-[[package]]
-name = "rustls"
-version = "0.22.4"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "bf4ef73721ac7bcd79b2b315da7779d8fc09718c6b3d2d1b2d94850eb8c18432"
-dependencies = [
- "log",
- "ring",
- "rustls-pki-types",
- "rustls-webpki 0.102.8",
- "subtle",
- "zeroize",
-]
-
 [[package]]
 name = "rustls"
 version = "0.23.37"
@@ -6309,29 +6178,16 @@ dependencies = [
 "zeroize",
 ]

-[[package]]
-name = "rustls-native-certs"
-version = "0.7.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "e5bfb394eeed242e909609f56089eecfe5fda225042e8b171791b9c95f5931e5"
-dependencies = [
- "openssl-probe 0.1.6",
- "rustls-pemfile 2.2.0",
- "rustls-pki-types",
- "schannel",
- "security-framework 2.11.1",
-]
-
 [[package]]
 name = "rustls-native-certs"
 version = "0.8.3"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "612460d5f7bea540c490b2b6395d8e34a953e52b491accd6c86c8164c5932a63"
 dependencies = [
- "openssl-probe 0.2.1",
+ "openssl-probe",
 "rustls-pki-types",
 "schannel",
- "security-framework 3.7.0",
+ "security-framework",
 ]

 [[package]]
@@ -6343,15 +6199,6 @@ dependencies = [
 "base64 0.21.7",
 ]

-[[package]]
-name = "rustls-pemfile"
-version = "2.2.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "dce314e5fee3f39953d46bb63bb8a46d40c2f8fb7cc5a3b6cab2bde9721d6e50"
-dependencies = [
- "rustls-pki-types",
-]
-
 [[package]]
 name = "rustls-pki-types"
 version = "1.14.0"
@@ -6374,13 +6221,13 @@ dependencies = [
 "log",
 "once_cell",
 "rustls 0.23.37",
- "rustls-native-certs 0.8.3",
+ "rustls-native-certs",
 "rustls-platform-verifier-android",
 "rustls-webpki 0.103.13",
- "security-framework 3.7.0",
+ "security-framework",
 "security-framework-sys",
 "webpki-root-certs",
- "windows-sys 0.61.2",
+ "windows-sys 0.59.0",
 ]

 [[package]]
@@ -6399,17 +6246,6 @@ dependencies = [
 "untrusted",
 ]

-[[package]]
-name = "rustls-webpki"
-version = "0.102.8"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "64ca1bc8749bd4cf37b5ce386cc146580777b4e8572c7b97baf22c83f444bee9"
-dependencies = [
- "ring",
- "rustls-pki-types",
- "untrusted",
-]
-
 [[package]]
 name = "rustls-webpki"
 version = "0.103.13"
@@ -6712,19 +6548,6 @@ dependencies = [
 "untrusted",
 ]

-[[package]]
-name = "security-framework"
-version = "2.11.1"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "897b2245f0b511c87893af39b033e5ca9cce68824c4d7e7630b5a1d339658d02"
-dependencies = [
- "bitflags 2.11.0",
- "core-foundation 0.9.4",
- "core-foundation-sys",
- "libc",
- "security-framework-sys",
-]
-
 [[package]]
 name = "security-framework"
 version = "3.7.0"
@@ -7072,15 +6895,6 @@ dependencies = [
 "libc",
 ]

-[[package]]
-name = "signature"
-version = "2.2.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "77549399552de45a898a580c1b41d445bf730df867cc44e6c0233bbc4b8329de"
-dependencies = [
- "rand_core 0.6.4",
-]
-
 [[package]]
 name = "simba"
 version = "0.9.1"
@@ -7239,16 +7053,6 @@ dependencies = [
 "lock_api",
 ]

-[[package]]
-name = "spki"
-version = "0.7.3"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "d91ed6c858b01f942cd56b37a94b3e0a1798290327d1236e4d9cf4eaca44d29d"
-dependencies = [
- "base64ct",
- "der",
-]
-
 [[package]]
 name = "stable_deref_trait"
 version = "1.2.1"
@@ -7846,7 +7650,7 @@ dependencies = [
 "getrandom 0.4.1",
 "once_cell",
 "rustix",
- "windows-sys 0.61.2",
+ "windows-sys 0.59.0",
 ]

 [[package]]
@@ -8039,17 +7843,6 @@ dependencies = [
 "tokio",
 ]

-[[package]]
-name = "tokio-rustls"
-version = "0.25.0"
-source = "registry+https://github.com/rust-lang/crates.io-index"
-checksum = "775e0c0f0adb3a2f22a00c4745d728b479985fc15ee7ca6a2608388c5569860f"
-dependencies = [
- "rustls 0.22.4",
- "rustls-pki-types",
- "tokio",
-]
-
 [[package]]
 name = "tokio-serial"
 version = "5.4.5"
@@ -9332,12 +9125,9 @@ dependencies = [
 "axum",
 "chrono",
 "clap",
- "criterion",
 "futures-util",
 "midstreamer-attractor",
 "midstreamer-temporal-compare",
- "proptest",
- "rumqttc",
 "ruvector-mincut",
 "serde",
 "serde_json",
@@ -9480,7 +9270,7 @@ version = "0.1.11"
 source = "registry+https://github.com/rust-lang/crates.io-index"
 checksum = "c2a7b1c03c876122aa43f3020e6c3c3ee5c05081c9a00739faf7503aeba10d22"
 dependencies = [
- "windows-sys 0.61.2",
+ "windows-sys 0.48.0",
 ]

 [[package]]
@@ -38,10 +38,6 @@ members = [
    # PR #491 slot heuristic with a Candle network + Stoer-Wagner fusion.
    # Motivated by #499 ghost-skeleton reports.
    "crates/cog-person-count",
-    # ADR-116: Home Assistant + Matter Cognitum Seed cog. Wraps the
-    # ADR-115 MQTT publisher as a Seed-installable artifact with
-    # mDNS, embedded broker, RuVector thresholds, Ed25519 witness.
-    "crates/cog-ha-matter",
    # rvCSI — edge RF sensing runtime (ADR-095 platform, ADR-096 FFI/crate layout):
    # lives in its own repo (https://github.com/ruvnet/rvcsi), vendored here as
    # `vendor/rvcsi` and published to crates.io as `rvcsi-*` 0.3.x. Depend on the
@@ -1,50 +0,0 @@
-[package]
-name = "cog-ha-matter"
-version.workspace = true
-edition.workspace = true
-authors.workspace = true
-license.workspace = true
-repository.workspace = true
-description = "Cognitum Cog: Home Assistant + Matter integration for the Seed (ADR-116). Wraps ADR-115's HA-DISCO + HA-MIND publisher as a Seed-installable artifact with mDNS, embedded broker, RuVector-backed thresholds, and Ed25519 witness."
-publish = false
-
-[[bin]]
-name = "cog-ha-matter"
-path = "src/main.rs"
-
-[lib]
-name = "cog_ha_matter"
-path = "src/lib.rs"
-
-[dependencies]
-# CLI + logging — same shape as cog-pose-estimation (ADR-101).
-clap = { version = "4", features = ["derive"] }
-serde = { version = "1", features = ["derive"] }
-serde_json = "1"
-thiserror = "1"
-tracing = "0.1"
-tracing-subscriber = { version = "0.3", features = ["env-filter", "json"] }
-
-# Async runtime for the publisher + mDNS responder + WebSocket pump.
-tokio = { workspace = true, features = ["full"] }
-
-# ADR-115 publisher is the heart of this cog — we wrap it.
-# default-features = false matches the sensing-server's pattern.
-wifi-densepose-sensing-server = { version = "0.3.0", path = "../wifi-densepose-sensing-server", default-features = false, features = ["mqtt"] }
-
-# Hardware crate for SyncPacket + NodeState bridging (ADR-110 substrate).
-wifi-densepose-hardware = { version = "0.3.0", path = "../wifi-densepose-hardware" }
-
-# Witness chain (ADR-116 P4): SHA-256 hash chain + Ed25519 signature
-# layer for tamper-evident audit logs (ADR-116 §2.2). Same version
-# already vetted by ruv-neural — keep them aligned.
-sha2 = { workspace = true }
-ed25519-dalek = "2.1"
-
-# mDNS responder (ADR-116 P4 §2.2): pure-Rust zero-conf daemon.
-# Same version pinned in wifi-densepose-desktop to keep the
-# workspace lockfile narrow.
-mdns-sd = "0.11"
-
-[dev-dependencies]
-tempfile = "3.10"
@@ -1,46 +0,0 @@
-//! ADR-116 — Home Assistant + Matter Cognitum Seed cog.
-//!
-//! This crate is the Seed-installable wrapper around ADR-115's
-//! `wifi-densepose-sensing-server::mqtt` publisher. It adds the
-//! Seed-native surfaces ADR-115's `--mqtt` flag can't easily reach:
-//!
-//! 1. **mDNS service advertisement** — `_ruview-ha._tcp` so HA discovers
-//!    the cog automatically (no manual broker host/port config).
-//! 2. **Optional embedded MQTT broker** — for Seeds running without an
-//!    external mosquitto. Defaults to off; the cog can either embed
-//!    rumqttd or connect to a user-provided broker.
-//! 3. **RuVector-backed semantic-primitive thresholds** — replaces
-//!    static `semantic-thresholds.yaml` with a SONA-adapted RuVector
-//!    inference. Per-home thresholds learned from the Seed's own
-//!    long-term observation stream.
-//! 4. **Ed25519 witness chain** — every state transition signed so
-//!    regulated deployments (healthcare, education, shared housing)
-//!    have a tamper-evident audit log.
-//! 5. **Multi-Seed federation** — peer discovery via mDNS + cross-Seed
-//!    event deduplication keyed on ADR-110's ≤100 µs mesh-aligned
-//!    timestamps. One fall in a shared room emits one alert, not N.
-//! 6. **OTA firmware coordination** — the cog manages C6 firmware
-//!    rollouts for ESP32-C6 nodes in the local mesh.
-//!
-//! The cog binary entrypoint is in `bin/main.rs`. Library modules
-//! below are intentionally small and testable per the /loop-worker
-//! discipline rules (see `docs/ADR-110-BRANCH-STATE.md`).
-
-pub mod manifest;
-pub mod mdns;
-pub mod runtime;
-pub mod witness;
-pub mod witness_signing;
-
-/// Cog identifier used in Seed's app-registry.json + the manifest.
-pub const COG_ID: &str = "ha-matter";
-
-/// mDNS service type advertised when the cog starts.
-pub const MDNS_SERVICE_TYPE: &str = "_ruview-ha._tcp";
-
-/// Default port for the cog's local HTTP control surface (`/health`,
-/// `/api/v1/cog/status`). Distinct from the MQTT broker port.
-pub const DEFAULT_CONTROL_PORT: u16 = 9180;
-
-/// Default port for the embedded MQTT broker, when enabled.
-pub const DEFAULT_EMBEDDED_BROKER_PORT: u16 = 1883;
@@ -1,179 +0,0 @@
-//! `cog-ha-matter` — Home Assistant + Matter Cognitum Seed cog (ADR-116).
-//!
-//! Binary entrypoint. The actual wiring lives in [`cog_ha_matter`] —
-//! this main.rs is intentionally tiny so the cog runtime can call
-//! into the library from tests and from the Seed's control plane
-//! integration tests without re-launching the binary.
-
-use std::process::ExitCode;
-
-use clap::Parser;
-use cog_ha_matter::runtime;
-use tokio::sync::broadcast;
-use tracing::{info, warn};
-use wifi_densepose_sensing_server::mqtt::state::VitalsSnapshot;
-
-#[derive(Parser, Debug)]
-#[command(
-    name = "cog-ha-matter",
-    version,
-    about = "Home Assistant + Matter Cognitum Seed cog",
-    long_about = "Wraps the ADR-115 HA-DISCO + HA-MIND publisher as a \
-                  Seed-installable artifact with mDNS, embedded broker, \
-                  RuVector-backed thresholds, and Ed25519 witness. See \
-                  docs/adr/ADR-116-cog-ha-matter-seed.md for the design."
-)]
-struct Args {
-    /// Where to find the local sensing-server (the cog speaks to it
-    /// to pull `VitalsSnapshot` for republication over MQTT/Matter).
-    #[arg(long, default_value = "http://127.0.0.1:3000")]
-    sensing_url: String,
-
-    /// MQTT broker host. When omitted the cog can spin up an embedded
-    /// rumqttd on `DEFAULT_EMBEDDED_BROKER_PORT` (v1: external only).
-    #[arg(long, default_value = "127.0.0.1")]
-    mqtt_host: String,
-
-    /// MQTT broker port.
-    #[arg(long, default_value_t = cog_ha_matter::DEFAULT_EMBEDDED_BROKER_PORT)]
-    mqtt_port: u16,
-
-    /// Strip biometrics at the wire — only semantic primitives published.
-    /// Matches ADR-115 `--privacy-mode`. The right default for any
-    /// deployment with non-tenant occupants.
-    #[arg(long)]
-    privacy_mode: bool,
-
-    /// Print the manifest the cog would self-report to the Seed's
-    /// control plane and exit. Useful for the build-time signer.
-    #[arg(long)]
-    print_manifest: bool,
-
-    /// mDNS hostname for the Seed advertisement. Must end with
-    /// `.local.` per RFC 6762. Default lets HA's discovery find a
-    /// dev cog on localhost without LAN config.
-    #[arg(long, default_value = "cog-ha-matter.local.")]
-    mdns_hostname: String,
-
-    /// LAN-routable IPv4 the cog binds the control plane on. The
-    /// mDNS responder advertises this; HA reaches back to it for
-    /// MQTT + Matter Bridge.
-    #[arg(long, default_value = "127.0.0.1")]
-    mdns_ipv4: String,
-
-    /// Skip the mDNS responder. Useful in containerised CI where
-    /// multicast bind is filtered, or when running multiple cog
-    /// instances on the same loopback.
-    #[arg(long)]
-    no_mdns: bool,
-}
-
-#[tokio::main]
-async fn main() -> ExitCode {
-    tracing_subscriber::fmt()
-        .with_env_filter(
-            tracing_subscriber::EnvFilter::try_from_default_env()
-                .unwrap_or_else(|_| "cog_ha_matter=info,info".into()),
-        )
-        .init();
-
-    let args = Args::parse();
-
-    info!(
-        sensing_url = %args.sensing_url,
-        mqtt = format!("{}:{}", args.mqtt_host, args.mqtt_port),
-        privacy = args.privacy_mode,
-        "cog-ha-matter starting (ADR-116 P2 scaffold)"
-    );
-
-    if args.print_manifest {
-        // Emit the manifest with build-time-template placeholders. The
-        // Makefile substitutes {{VERSION}} / {{ARCH}} before signing.
-        let m = cog_ha_matter::manifest::CogManifest {
-            id: cog_ha_matter::COG_ID.into(),
-            version: env!("CARGO_PKG_VERSION").into(),
-            binary_url:
-                "https://storage.googleapis.com/cognitum-apps/cogs/{{ARCH}}/cog-ha-matter-{{ARCH}}"
-                    .into(),
-            binary_bytes: 0,
-            binary_sha256: String::new(),
-            binary_signature: String::new(),
-            installed_at: 0,
-            status: "installed".into(),
-        };
-        println!(
-            "{}",
-            serde_json::to_string_pretty(&m).expect("manifest serialization is infallible")
-        );
-        return ExitCode::SUCCESS;
-    }
-
-    // P3: boot the ADR-115 publisher. The broadcast tx is held by
-    // main so the channel doesn't close before the sensing-server
-    // bridge (next iter) wires its VitalsSnapshot producer in.
-    let identity = runtime::CogIdentity::default_for_build();
-    let inputs = runtime::build_publisher_inputs(
-        &args.mqtt_host,
-        args.mqtt_port,
-        args.privacy_mode,
-        identity,
-    );
-    let (state_tx, state_rx) =
-        broadcast::channel::<VitalsSnapshot>(runtime::DEFAULT_STATE_CHANNEL_CAPACITY);
-    let publisher_handle = runtime::spawn_publisher(inputs, state_rx);
-    info!(
-        capacity = runtime::DEFAULT_STATE_CHANNEL_CAPACITY,
-        "publisher spawned — awaiting VitalsSnapshot bridge (P3.5)"
-    );
-
-    // P3.5 (next iter): subscribe to the sensing-server's
-    // `/v1/snapshot` WebSocket and republish into `state_tx`. Until
-    // that lands the cog connects to MQTT, advertises discovery,
-    // and just doesn't have any state to publish — exactly what an
-    // HA install with no nodes online looks like.
-    let _ = &state_tx;
-
-    // P4: mDNS responder. HA's auto-discovery picks the cog up on
-    // `_ruview-ha._tcp` so users don't need to type broker host/port.
-    let _mdns_handle = if args.no_mdns {
-        None
-    } else {
-        let identity = runtime::CogIdentity::default_for_build();
-        let service = cog_ha_matter::mdns::build_mdns_service(
-            &identity,
-            cog_ha_matter::DEFAULT_CONTROL_PORT,
-            args.mqtt_port,
-            args.privacy_mode,
-        );
-        match runtime::start_mdns_responder(&service, &args.mdns_hostname, &args.mdns_ipv4) {
-            Ok(h) => {
-                info!(
-                    fullname = h.fullname(),
-                    hostname = %args.mdns_hostname,
-                    ipv4 = %args.mdns_ipv4,
-                    "mDNS responder registered — HA auto-discovery should find the cog now"
-                );
-                Some(h)
-            }
-            Err(e) => {
-                warn!(error = ?e, "mDNS responder failed to start — discovery disabled, falling back to manual HA config");
-                None
-            }
-        }
-    };
-
-    // Wait on Ctrl-C so the cog runs as a long-lived daemon under
-    // the Seed's process supervisor.
-    tokio::select! {
-        _ = tokio::signal::ctrl_c() => {
-            info!("ctrl-c received — shutting down");
-        }
-        joined = publisher_handle => {
-            warn!(?joined, "publisher task exited unexpectedly");
-        }
-    }
-
-    // _mdns_handle drops here, sending the mDNS goodbye packet so
-    // HA's discovery integration sees the service leave cleanly.
-    ExitCode::SUCCESS
-}
@@ -1,99 +0,0 @@
-//! Cog manifest — same shape as `cog-pose-estimation/cog/manifest.template.json`
-//! per ADR-101 / ADR-102 / ADR-116. Generated at build time by the cog's
-//! Makefile, signed by the project's Ed25519 release key, uploaded to
-//! `gs://cognitum-apps/cogs/<arch>/cog-ha-matter-<arch>` for Seeds to fetch
-//! via `app-registry.json`.
-//!
-//! The runtime ships the typed view here so the cog can self-report its
-//! manifest to the Seed's control plane (`/api/v1/cog/status`).
-//!
-//! Kept in lib.rs's nearest sibling module so manifest format drift between
-//! build-time template and runtime serializer fires a named test.
-
-use serde::{Deserialize, Serialize};
-
-/// Wire-format mirror of `cog/manifest.template.json`.
-///
-/// Every field is required at install time; `binary_signature` is the
-/// Ed25519 sig over `binary_sha256` so the Seed can verify the cog
-/// binary wasn't tampered with between GCS and the device.
-#[derive(Debug, Clone, PartialEq, Eq, Serialize, Deserialize)]
-pub struct CogManifest {
-    /// Stable cog identifier ("ha-matter"). Becomes the directory name
-    /// under `/var/lib/cognitum/apps/<id>/` on the Seed.
-    pub id: String,
-    /// SemVer of the cog binary. Bumped by the Makefile from
-    /// `cargo pkgid` at release time.
-    pub version: String,
-    /// Where the Seed fetches the binary from. Arch-specific URL with
-    /// the `{{ARCH}}` template slot filled in (e.g. `arm`, `x86_64`).
-    pub binary_url: String,
-    /// Bytes of the binary blob. Set at build time after `wc -c`.
-    pub binary_bytes: u64,
-    /// SHA-256 of the binary, hex-lowercase, no `0x` prefix. The Seed
-    /// verifies this before exec().
-    pub binary_sha256: String,
-    /// Ed25519 signature over `binary_sha256`, base64-encoded. Optional
-    /// for unsigned dev builds; required for cogs listed in
-    /// `app-registry.json`.
-    pub binary_signature: String,
-    /// Unix epoch seconds at install time. The Seed stamps this when it
-    /// completes a successful install/upgrade.
-    pub installed_at: u64,
-    /// One of `"installed"`, `"upgrading"`, `"degraded"`, `"removed"`.
-    pub status: String,
-}
-
-impl CogManifest {
-    pub fn id() -> &'static str {
-        super::COG_ID
-    }
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-
-    /// Lock the JSON wire shape against accidental field renames. Both
-    /// the Seed's control plane and the build-time signer parse this —
-    /// any drift fires a named test instead of silently breaking ops.
-    #[test]
-    fn manifest_round_trip_matches_template() {
-        let m = CogManifest {
-            id: "ha-matter".into(),
-            version: "0.1.0".into(),
-            binary_url:
-                "https://storage.googleapis.com/cognitum-apps/cogs/arm/cog-ha-matter-arm"
-                    .into(),
-            binary_bytes: 4_200_000,
-            binary_sha256:
-                "a".repeat(64),
-            binary_signature: "Zm9v".into(),
-            installed_at: 1_779_512_400,
-            status: "installed".into(),
-        };
-        let json = serde_json::to_value(&m).unwrap();
-        // Eight required fields, no extras.
-        for key in [
-            "id",
-            "version",
-            "binary_url",
-            "binary_bytes",
-            "binary_sha256",
-            "binary_signature",
-            "installed_at",
-            "status",
-        ] {
-            assert!(json.get(key).is_some(), "missing manifest field `{key}`");
-        }
-        let m2: CogManifest = serde_json::from_value(json).unwrap();
-        assert_eq!(m, m2);
-    }
-
-    #[test]
-    fn manifest_id_constant_matches_cog_id() {
-        // The id helper must agree with the crate-level COG_ID constant
-        // (regression guard for a future rename).
-        assert_eq!(CogManifest::id(), super::super::COG_ID);
-    }
-}
@@ -1,293 +0,0 @@
-//! `mdns` — pure builder for the cog's mDNS advertisement record.
-//!
-//! ADR-116 §2.2: the cog must advertise itself as `_ruview-ha._tcp`
-//! so HA's discovery integration finds the Seed without manual
-//! `broker host` config. This module produces the typed wire-format
-//! shape — no socket I/O, no responder. The actual mDNS responder
-//! (mdns-sd / zeroconf / pnet) lands next iter and consumes this
-//! struct as its single input.
-//!
-//! Keeping the record-builder pure means:
-//!
-//!   * the responder library can be swapped without touching the
-//!     content of the advertisement;
-//!   * the build-time `--print-manifest` path can include the
-//!     advertisement shape so Seed integration tests can assert on
-//!     it without booting tokio;
-//!   * the TXT keys are locked by named unit tests — drift between
-//!     the cog and the HA-side YAML auto-discovery (`hass-wifi-...`)
-//!     fires a test instead of silently breaking a deployment.
-//!
-//! ## TXT record convention (RFC 6763)
-//!
-//! HA's mDNS discovery integration reads TXT records when binding a
-//! manifest to a `homeassistant.<integration>` zeroconf hook. We
-//! publish the minimum set that lets HA distinguish a Seed cog from
-//! a bare sensing-server and pick the right config flow:
-//!
-//! | Key | Value | Purpose |
-//! |---|---|---|
-//! | `cog_id` | `"ha-matter"` | Disambiguates from other RuView cogs |
-//! | `cog_version` | `CARGO_PKG_VERSION` | HA Repairs surfaces upgrade nudges |
-//! | `node_id` | identity node id | HA device registry key |
-//! | `mqtt_port` | u16 string | Tells HA where to reach the cog's MQTT broker (embedded or external) |
-//! | `privacy` | `"1"` / `"0"` | If `1`, HA's config flow gates biometric entities by default |
-//! | `proto` | `"ruview-ha/1"` | Protocol version — bumps on breaking auto-discovery changes |
-//!
-//! No biometric data, no node coordinates, no SSID — TXT records
-//! are broadcast in cleartext and harvested by passive scanners, so
-//! treating them as PII-clean is part of the privacy posture.
-
-use std::collections::HashMap;
-
-use mdns_sd::ServiceInfo;
-
-use crate::COG_ID;
-
-/// Default mDNS instance name template. `{node_id}` is substituted
-/// at build time. Visible in HA's UI when the integration card is
-/// added — "Cognitum Seed (kitchen)" beats a raw UUID.
-const INSTANCE_TEMPLATE: &str = "Cognitum Seed — {node_id}";
-
-/// Wire-format twin of the mDNS service record this cog publishes.
-/// Owned so the responder can move the whole thing into its task.
-#[derive(Debug, Clone, PartialEq, Eq)]
-pub struct MdnsService {
-    /// RFC 6763 service type. Locked to `_ruview-ha._tcp` by a named
-    /// test — drift breaks HA's YAML auto-discovery binding.
-    pub service_type: String,
-    /// Human-readable instance name shown in HA's discovery UI.
-    pub instance_name: String,
-    /// Port the cog's control plane listens on (NOT the MQTT broker
-    /// port — HA needs both, but the service record advertises the
-    /// control plane; the MQTT port rides as a TXT record).
-    pub control_port: u16,
-    /// TXT records sorted by key for deterministic ordering. RFC
-    /// 6763 §6.4 makes ordering implementation-defined, but locking
-    /// it keeps the cog's wire shape byte-stable across rebuilds.
-    pub txt_records: Vec<(String, String)>,
-}
-
-impl MdnsService {
-    /// Look up a TXT key without iterating the caller. `None` if the
-    /// key isn't published — the responder treats absence as
-    /// "feature off" rather than "unknown".
-    pub fn txt(&self, key: &str) -> Option<&str> {
-        self.txt_records
-            .iter()
-            .find(|(k, _)| k == key)
-            .map(|(_, v)| v.as_str())
-    }
-
-    /// Convert into the `mdns_sd::ServiceInfo` the responder daemon
-    /// consumes. Pure transform — no socket binding, no daemon
-    /// registration. The caller wires the resulting `ServiceInfo`
-    /// into `ServiceDaemon::register` (next iter).
-    ///
-    /// `hostname` should end in `.local.` per RFC 6762 — e.g.
-    /// `"cognitum-seed-1.local."`. `ipv4` is the LAN-routable
-    /// address HA's discovery will reach back on.
-    pub fn to_service_info(
-        &self,
-        hostname: &str,
-        ipv4: &str,
-    ) -> Result<ServiceInfo, mdns_sd::Error> {
-        let mut props: HashMap<String, String> = HashMap::with_capacity(self.txt_records.len());
-        for (k, v) in &self.txt_records {
-            props.insert(k.clone(), v.clone());
-        }
-        ServiceInfo::new(
-            &self.service_type,
-            &self.instance_name,
-            hostname,
-            ipv4,
-            self.control_port,
-            Some(props),
-        )
-    }
-}
-
-/// Build the cog's mDNS advertisement record from the cog's typed
-/// identity + ports. Pure: no I/O, no env reads.
-pub fn build_mdns_service(
-    identity: &crate::runtime::CogIdentity,
-    control_port: u16,
-    mqtt_port: u16,
-    privacy_mode: bool,
-) -> MdnsService {
-    let mut txt_records = vec![
-        ("cog_id".to_string(), COG_ID.to_string()),
-        ("cog_version".to_string(), identity.sw_version.clone()),
-        ("node_id".to_string(), identity.node_id.clone()),
-        ("mqtt_port".to_string(), mqtt_port.to_string()),
-        (
-            "privacy".to_string(),
-            if privacy_mode { "1" } else { "0" }.to_string(),
-        ),
-        ("proto".to_string(), "ruview-ha/1".to_string()),
-    ];
-    // Deterministic ordering — see field docstring.
-    txt_records.sort();
-
-    MdnsService {
-        service_type: crate::MDNS_SERVICE_TYPE.to_string(),
-        instance_name: INSTANCE_TEMPLATE.replace("{node_id}", &identity.node_id),
-        control_port,
-        txt_records,
-    }
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-    use crate::runtime::CogIdentity;
-
-    fn id() -> CogIdentity {
-        CogIdentity {
-            node_id: "kitchen-seed".into(),
-            friendly_name: "Kitchen Seed".into(),
-            sw_version: "0.3.0".into(),
-        }
-    }
-
-    #[test]
-    fn service_type_locked_to_ruview_ha_tcp() {
-        // Drift here breaks HA's YAML auto-discovery binding. Lock
-        // it so a future rename surfaces a named test instead of a
-        // silent broken deployment.
-        let svc = build_mdns_service(&id(), 9180, 1883, false);
-        assert_eq!(svc.service_type, "_ruview-ha._tcp");
-        assert_eq!(svc.service_type, crate::MDNS_SERVICE_TYPE);
-    }
-
-    #[test]
-    fn instance_name_carries_node_id() {
-        let svc = build_mdns_service(&id(), 9180, 1883, false);
-        assert!(svc.instance_name.contains("kitchen-seed"));
-    }
-
-    #[test]
-    fn control_port_field_holds_control_not_mqtt_port() {
-        // Easy to swap by accident. Lock the binding so a refactor
-        // doesn't silently advertise the MQTT broker as the control
-        // plane.
-        let svc = build_mdns_service(&id(), 9180, 1883, false);
-        assert_eq!(svc.control_port, 9180);
-        assert_eq!(svc.txt("mqtt_port"), Some("1883"));
-    }
-
-    #[test]
-    fn privacy_flag_is_one_or_zero() {
-        let on = build_mdns_service(&id(), 9180, 1883, true);
-        let off = build_mdns_service(&id(), 9180, 1883, false);
-        assert_eq!(on.txt("privacy"), Some("1"));
-        assert_eq!(off.txt("privacy"), Some("0"));
-    }
-
-    #[test]
-    fn proto_version_bumps_surface_in_txt() {
-        // Locked so a future breaking-change in the cog ↔ HA YAML
-        // contract surfaces here. Bumping it is a deliberate act.
-        let svc = build_mdns_service(&id(), 9180, 1883, false);
-        assert_eq!(svc.txt("proto"), Some("ruview-ha/1"));
-    }
-
-    #[test]
-    fn cog_id_in_txt_matches_crate_constant() {
-        let svc = build_mdns_service(&id(), 9180, 1883, false);
-        assert_eq!(svc.txt("cog_id"), Some(crate::COG_ID));
-    }
-
-    #[test]
-    fn txt_records_are_sorted_for_byte_stable_advertisement() {
-        let svc = build_mdns_service(&id(), 9180, 1883, false);
-        let keys: Vec<&str> = svc.txt_records.iter().map(|(k, _)| k.as_str()).collect();
-        let mut sorted = keys.clone();
-        sorted.sort();
-        assert_eq!(keys, sorted);
-    }
-
-    #[test]
-    fn txt_carries_no_biometric_or_pii_keys() {
-        // TXT records broadcast in cleartext; passive scanners
-        // harvest them. Lock the publishable surface so a future
-        // "let's add hr_bpm to TXT for convenience" patch fires a
-        // named test instead of leaking biometrics.
-        let svc = build_mdns_service(&id(), 9180, 1883, false);
-        let forbidden = [
-            "hr_bpm",
-            "br_bpm",
-            "pose_x",
-            "pose_y",
-            "keypoint",
-            "ssid",
-            "lat",
-            "lon",
-            "mac",
-            "rssi",
-        ];
-        for key in forbidden {
-            assert!(
-                svc.txt(key).is_none(),
-                "TXT key `{key}` leaks PII / biometric data — must not be advertised"
-            );
-        }
-    }
-
-    #[test]
-    fn to_service_info_carries_service_type_and_port() {
-        let svc = build_mdns_service(&id(), 9180, 1883, false);
-        let info = svc
-            .to_service_info("cognitum-seed-1.local.", "192.168.1.50")
-            .expect("valid service info");
-        // mdns-sd may rewrite the type with a trailing dot; allow
-        // both forms.
-        let ty = info.get_type();
-        assert!(
-            ty == "_ruview-ha._tcp" || ty == "_ruview-ha._tcp.",
-            "unexpected service type: {ty}"
-        );
-        assert_eq!(info.get_port(), 9180);
-    }
-
-    #[test]
-    fn to_service_info_propagates_txt_records() {
-        let svc = build_mdns_service(&id(), 9180, 1883, true);
-        let info = svc
-            .to_service_info("cognitum-seed-1.local.", "192.168.1.50")
-            .expect("valid service info");
-        // Every locked TXT key must reach the wire-format payload.
-        assert_eq!(info.get_property_val_str("cog_id"), Some(crate::COG_ID));
-        assert_eq!(info.get_property_val_str("mqtt_port"), Some("1883"));
-        assert_eq!(info.get_property_val_str("privacy"), Some("1"));
-        assert_eq!(info.get_property_val_str("proto"), Some("ruview-ha/1"));
-        assert!(info.get_property_val_str("node_id").is_some());
-        assert!(info.get_property_val_str("cog_version").is_some());
-    }
-
-    #[test]
-    fn to_service_info_does_not_silently_drop_caller_hostname() {
-        // mdns-sd 0.11 accepts bare hostnames (no `.local.`); the
-        // responsibility for the trailing dot lives in our wrapper.
-        // Lock that the caller's hostname survives the conversion
-        // verbatim — a future bump that starts mutating the value
-        // surfaces a named test instead of a silent change.
-        let svc = build_mdns_service(&id(), 9180, 1883, false);
-        let info = svc
-            .to_service_info("cognitum-seed-1.local.", "192.168.1.50")
-            .unwrap();
-        assert!(info.get_hostname().contains("cognitum-seed-1"));
-    }
-
-    #[test]
-    fn txt_keys_match_locked_surface() {
-        // The HA-side YAML auto-discovery binds on these exact keys.
-        // Adding a key is fine; removing or renaming one breaks
-        // every deployed Seed. This test catches both directions.
-        let svc = build_mdns_service(&id(), 9180, 1883, true);
-        let required = ["cog_id", "cog_version", "node_id", "mqtt_port", "privacy", "proto"];
-        for key in required {
-            assert!(svc.txt(key).is_some(), "TXT key `{key}` missing");
-        }
-    }
-}
@@ -1,334 +0,0 @@
-//! `runtime` — pure builders that turn the cog's small CLI surface
-//! into the shapes ADR-115's `publisher::spawn` consumes.
-//!
-//! Kept side-effect-free so the tests don't need a tokio runtime, and
-//! so the cog's mDNS responder / control plane (P4) can build the
-//! same inputs from a different source (Seed control config, JSON
-//! POST) without going through `clap`.
-//!
-//! Per the ADR-115 integration-test post-mortem (iter 45-48 of the
-//! ADR-110 sprint), the MQTT `client_id` MUST be unique per process —
-//! reusing a client_id causes the broker to disconnect the previous
-//! session and the new publisher reconnects in a loop. We derive
-//! `client_id` from the caller-supplied `node_id` for that reason.
-//!
-//! P3 of ADR-116: this module produces the input pair; the binary
-//! wires the actual `tokio::spawn(publisher::run(...))` next iter.
-//!
-//! The publisher inputs are intentionally typed in *this* crate, so
-//! the cog's tests and the `--print-manifest` path can exercise the
-//! builder without pulling in the rumqttc event loop.
-
-use std::sync::Arc;
-
-use mdns_sd::ServiceDaemon;
-use tokio::{sync::broadcast, task::JoinHandle};
-use wifi_densepose_sensing_server::mqtt::{
-    config::{MqttConfig, PublishRates, TlsConfig},
-    publisher::{self, OwnedDiscoveryBuilder},
-    state::VitalsSnapshot,
-    DEFAULT_DISCOVERY_PREFIX, MANUFACTURER,
-};
-
-use crate::mdns::MdnsService;
-
-/// Caller-supplied identity for the cog instance. Filled in by the
-/// cog runtime from the mDNS hostname / Seed control plane in
-/// production; threaded as a parameter so tests can build inputs
-/// without touching the environment.
-#[derive(Debug, Clone)]
-pub struct CogIdentity {
-    /// Stable node identifier — appears in MQTT topics, HA device
-    /// registry, mDNS service name. Must be ASCII-safe; the cog
-    /// runtime is responsible for sanitising user input.
-    pub node_id: String,
-    /// Human-readable name surfaced in the HA UI.
-    pub friendly_name: String,
-    /// SemVer of the cog binary. Surfaces as the HA device `sw_version`.
-    pub sw_version: String,
-}
-
-impl CogIdentity {
-    /// Default identity used when the cog runs standalone (no Seed
-    /// control plane). Uses the PID for uniqueness so two cog
-    /// instances on the same host don't fight over the same MQTT
-    /// session — same trick the ADR-115 publisher uses.
-    pub fn default_for_build() -> Self {
-        Self {
-            node_id: format!("cog-ha-matter-{}", std::process::id()),
-            friendly_name: "Cognitum Seed — HA cog".into(),
-            sw_version: env!("CARGO_PKG_VERSION").into(),
-        }
-    }
-}
-
-/// The pair ADR-115's `publisher::spawn` needs. Owned so we can move
-/// the whole thing into a `tokio::spawn` closure without lifetime
-/// gymnastics.
-#[derive(Debug, Clone)]
-pub struct PublisherInputs {
-    pub config: MqttConfig,
-    pub discovery: OwnedDiscoveryBuilder,
-}
-
-/// Build the publisher inputs from the cog's small CLI surface.
-///
-/// Pure function — no I/O, no env reads. The caller wraps `config`
-/// in an `Arc` before handing it to `publisher::spawn`.
-pub fn build_publisher_inputs(
-    mqtt_host: &str,
-    mqtt_port: u16,
-    privacy_mode: bool,
-    identity: CogIdentity,
-) -> PublisherInputs {
-    let config = MqttConfig {
-        host: mqtt_host.to_string(),
-        port: mqtt_port,
-        username: None,
-        password: None,
-        client_id: format!("{}-{}", super::COG_ID, identity.node_id),
-        discovery_prefix: DEFAULT_DISCOVERY_PREFIX.to_string(),
-        tls: TlsConfig::Off,
-        refresh_secs: 60,
-        rates: PublishRates::default(),
-        publish_pose: false,
-        privacy_mode,
-    };
-
-    let discovery = OwnedDiscoveryBuilder {
-        discovery_prefix: DEFAULT_DISCOVERY_PREFIX.to_string(),
-        node_id: identity.node_id,
-        node_friendly_name: Some(identity.friendly_name),
-        sw_version: identity.sw_version,
-        model: format!("{MANUFACTURER} cog-ha-matter"),
-        via_device: Some(super::COG_ID.to_string()),
-    };
-
-    PublisherInputs { config, discovery }
-}
-
-/// Default broadcast-channel capacity for the cog's VitalsSnapshot
-/// stream. Matches the sensing-server's own default so the cog
-/// doesn't bottleneck the publisher under bursty loads (multi-Seed
-/// federation, mesh re-sync events).
-pub const DEFAULT_STATE_CHANNEL_CAPACITY: usize = 256;
-
-/// Spawn the ADR-115 MQTT publisher with the cog's typed inputs.
-///
-/// Thin wrapper around [`publisher::spawn`] that:
-/// 1. wraps `inputs.config` in `Arc` (publisher requires shared
-///    ownership across reconnects),
-/// 2. moves `inputs.discovery` into the spawn (publisher clones it
-///    per reconnect; `OwnedDiscoveryBuilder` is `Clone`),
-/// 3. hands the broadcast receiver across without an intermediate.
-///
-/// Returning the `JoinHandle` lets `main.rs` await it on shutdown
-/// (or `abort()` it from a control-plane handler).
-pub fn spawn_publisher(
-    inputs: PublisherInputs,
-    state_rx: broadcast::Receiver<VitalsSnapshot>,
-) -> JoinHandle<()> {
-    let PublisherInputs { config, discovery } = inputs;
-    publisher::spawn(Arc::new(config), discovery, state_rx)
-}
-
-/// Owned handle to a live mDNS responder. Holding it keeps the
-/// service advertised; `shutdown` unregisters cleanly so HA's
-/// discovery integration sees a goodbye packet instead of a
-/// dropped advertisement.
-///
-/// `Drop` is best-effort: tries unregister + daemon shutdown but
-/// swallows errors, since panicking in Drop would mask the real
-/// failure that prompted the shutdown.
-pub struct MdnsResponderHandle {
-    daemon: ServiceDaemon,
-    fullname: String,
-}
-
-impl MdnsResponderHandle {
-    /// Fully-qualified DNS-SD name (`<instance>.<type>.<domain>`).
-    /// Exposed for tests + logging; the responder uses it to
-    /// unregister.
-    pub fn fullname(&self) -> &str {
-        &self.fullname
-    }
-
-    /// Unregister the service and shut down the daemon. Returns
-    /// any error so the caller's shutdown sequence can surface it.
-    pub fn shutdown(self) -> Result<(), mdns_sd::Error> {
-        let _ = self.daemon.unregister(&self.fullname);
-        let _ = self.daemon.shutdown()?;
-        Ok(())
-    }
-}
-
-impl Drop for MdnsResponderHandle {
-    fn drop(&mut self) {
-        let _ = self.daemon.unregister(&self.fullname);
-        let _ = self.daemon.shutdown();
-    }
-}
-
-/// Start the mDNS responder for a cog and register its service.
-///
-/// Binds a multicast socket (`mdns_sd::ServiceDaemon::new`) and
-/// publishes `service` under `hostname` (must end in `.local.`)
-/// and `ipv4` (the LAN-routable address HA's discovery reaches
-/// back on).
-///
-/// Live-I/O: binding multicast may fail in containerised CI or
-/// on networks where 5353/udp is filtered — callers should treat
-/// the error as recoverable (log + retry, or fall back to manual
-/// HA configuration) rather than fatal to the cog.
-pub fn start_mdns_responder(
-    service: &MdnsService,
-    hostname: &str,
-    ipv4: &str,
-) -> Result<MdnsResponderHandle, mdns_sd::Error> {
-    let daemon = ServiceDaemon::new()?;
-    let info = service.to_service_info(hostname, ipv4)?;
-    let fullname = info.get_fullname().to_string();
-    daemon.register(info)?;
-    Ok(MdnsResponderHandle { daemon, fullname })
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-
-    fn id() -> CogIdentity {
-        CogIdentity {
-            node_id: "seed-7".into(),
-            friendly_name: "test-seed".into(),
-            sw_version: "0.0.1-test".into(),
-        }
-    }
-
-    #[test]
-    fn host_and_port_round_trip_into_mqtt_config() {
-        let out = build_publisher_inputs("10.0.0.5", 8883, false, id());
-        assert_eq!(out.config.host, "10.0.0.5");
-        assert_eq!(out.config.port, 8883);
-    }
-
-    #[test]
-    fn privacy_mode_propagates_to_mqtt_config() {
-        let on = build_publisher_inputs("h", 1883, true, id());
-        let off = build_publisher_inputs("h", 1883, false, id());
-        assert!(on.config.privacy_mode);
-        assert!(!off.config.privacy_mode);
-    }
-
-    #[test]
-    fn discovery_prefix_defaults_to_homeassistant() {
-        let out = build_publisher_inputs("h", 1883, false, id());
-        assert_eq!(out.config.discovery_prefix, DEFAULT_DISCOVERY_PREFIX);
-        assert_eq!(out.discovery.discovery_prefix, DEFAULT_DISCOVERY_PREFIX);
-    }
-
-    #[test]
-    fn discovery_carries_identity_fields() {
-        let out = build_publisher_inputs("h", 1883, false, id());
-        assert_eq!(out.discovery.node_id, "seed-7");
-        assert_eq!(out.discovery.sw_version, "0.0.1-test");
-        assert_eq!(out.discovery.node_friendly_name.as_deref(), Some("test-seed"));
-    }
-
-    #[test]
-    fn via_device_advertises_cog_id() {
-        // ADR-101 / ADR-102: every cog must surface its `id` as the
-        // HA device's `via_device` so the appliance shows up as the
-        // bridge — fires a named test instead of silently breaking
-        // the device-registry shape.
-        let out = build_publisher_inputs("h", 1883, false, id());
-        assert_eq!(out.discovery.via_device.as_deref(), Some(super::super::COG_ID));
-    }
-
-    #[test]
-    fn client_id_includes_node_id_for_session_uniqueness() {
-        // Lesson from the ADR-115 integration-test post-mortem: two
-        // publishers sharing a `client_id` fight over the broker
-        // session and one reconnects forever. The cog must derive
-        // `client_id` from `node_id` so multi-Seed deployments don't
-        // collide.
-        let out = build_publisher_inputs("h", 1883, false, id());
-        assert!(out.config.client_id.contains("seed-7"));
-        assert!(out.config.client_id.starts_with(super::super::COG_ID));
-    }
-
-    #[test]
-    fn tls_defaults_to_off_for_v1_lan_only() {
-        // v1 ships LAN-only (no broker on the open internet); TLS
-        // wiring lands in v0.8 alongside Matter Bridge per ADR-116
-        // §4. Lock the default so a future refactor surfaces a
-        // named test instead of silently enabling TLS.
-        let out = build_publisher_inputs("h", 1883, false, id());
-        assert!(matches!(out.config.tls, TlsConfig::Off));
-    }
-
-    #[tokio::test]
-    async fn spawn_publisher_returns_live_handle_without_broker() {
-        // No real broker on this port — rumqttc retries internally so
-        // the spawned task stays alive. We just prove the wiring
-        // compiles + the JoinHandle is not pre-finished. Aborting
-        // immediately keeps the test under 100 ms.
-        let inputs = build_publisher_inputs("127.0.0.1", 1, false, id());
-        let (tx, rx) = broadcast::channel::<VitalsSnapshot>(DEFAULT_STATE_CHANNEL_CAPACITY);
-        let handle = spawn_publisher(inputs, rx);
-        // Task is still running (not pre-finished by config validation).
-        assert!(!handle.is_finished());
-        // Keep `tx` alive past the handle abort so the receiver side
-        // doesn't panic on drop before the task notices the channel
-        // closed.
-        handle.abort();
-        let _ = handle.await; // joined, may be Err(Cancelled) — OK.
-        drop(tx);
-    }
-
-    #[test]
-    fn default_state_channel_capacity_is_reasonable() {
-        // Lock the default so a regression to e.g. 1 surfaces a named
-        // test. Multi-Seed federation needs headroom for bursty
-        // mesh re-sync events.
-        assert!(DEFAULT_STATE_CHANNEL_CAPACITY >= 64);
-    }
-
-    #[test]
-    fn mdns_responder_fullname_concatenates_instance_and_service_type() {
-        // Live-I/O test: binds multicast on the loopback adapter.
-        // Skips with a warning if the host's network stack refuses
-        // the bind (containerised CI without --network host, etc.)
-        // rather than failing the whole test suite.
-        use crate::mdns::build_mdns_service;
-        let svc = build_mdns_service(&id(), 9180, 1883, false);
-        let handle = match start_mdns_responder(&svc, "cog-ha-matter-test.local.", "127.0.0.1") {
-            Ok(h) => h,
-            Err(e) => {
-                eprintln!("mdns multicast bind not available in this sandbox: {e} — skipping");
-                return;
-            }
-        };
-        // Fullname format is "<instance>.<service_type>." per RFC 6763.
-        // mdns-sd may URL-escape special chars (— in instance name) so
-        // we only assert on the service-type segment which is stable.
-        let fullname = handle.fullname().to_string();
-        assert!(
-            !fullname.is_empty(),
-            "fullname empty after register"
-        );
-        assert!(
-            fullname.contains("_ruview-ha._tcp"),
-            "fullname `{fullname}` missing service type"
-        );
-        handle.shutdown().expect("clean shutdown");
-    }
-
-    #[test]
-    fn default_identity_carries_pkg_version_and_pid() {
-        let identity = CogIdentity::default_for_build();
-        assert_eq!(identity.sw_version, env!("CARGO_PKG_VERSION"));
-        assert!(identity.node_id.starts_with("cog-ha-matter-"));
-        // Friendly name is non-empty so HA's device card has a label.
-        assert!(!identity.friendly_name.is_empty());
-    }
-}
@@ -1,795 +0,0 @@
-//! `witness` — append-only hash-chained event log for the cog.
-//!
-//! ADR-116 §2.2 promises a tamper-evident audit log so regulated
-//! deployments (healthcare, education, shared housing) can prove
-//! that the state transitions a Seed reported were actually emitted
-//! by the cog at the time they were emitted, not retroactively
-//! rewritten.
-//!
-//! This module is the **pure hash-chain primitive**:
-//!
-//!   * SHA-256 over deterministic canonical bytes,
-//!   * `prev_hash` chains each event to its predecessor,
-//!   * `WitnessChain::append` is the only mutator — no random
-//!     access, no replace, no delete.
-//!
-//! Ed25519 signing layers on top once the key-management story
-//! lands (probably as `witness_signing.rs` reading a key from the
-//! Seed's secure store). Keeping the hash chain and the signature
-//! in separate modules means the chain primitive can be tested
-//! without a key fixture, and a future key rotation doesn't
-//! invalidate the chain itself — only the signature over each
-//! event.
-//!
-//! ## Why hash-chain first, not Merkle tree?
-//!
-//! The cog emits witness events at the rate of semantic-primitive
-//! transitions — a few per minute in steady state, dozens during
-//! a fall-detection / room-transition event. Linear scan is fine
-//! at that rate; we save the Merkle complexity for a future tier
-//! when the chain spans days and the auditor wants O(log n)
-//! inclusion proofs.
-
-use std::io::{self, BufRead, Write};
-
-use sha2::{Digest, Sha256};
-
-/// 32-byte hash output. Lifted into a newtype so a future migration
-/// to Blake3 / SHA-512 surfaces as a type change instead of a
-/// silent length difference in serialized witness bundles.
-#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]
-pub struct WitnessHash(pub [u8; 32]);
-
-impl WitnessHash {
-    /// Genesis hash — the predecessor of the first event. Sentinel
-    /// "no prior event" value.
-    pub const GENESIS: WitnessHash = WitnessHash([0u8; 32]);
-
-    /// Lowercase hex without `0x` prefix. Matches the format the
-    /// `cog-pose-estimation` manifest uses for `binary_sha256` so
-    /// downstream tooling can apply one parser.
-    pub fn to_hex(&self) -> String {
-        let mut s = String::with_capacity(64);
-        for b in self.0 {
-            s.push_str(&format!("{b:02x}"));
-        }
-        s
-    }
-
-    /// Parse a 64-char lowercase-hex string back into a `WitnessHash`.
-    /// Rejects wrong-length input and non-hex characters — used by
-    /// the JSONL parser when reading audit bundles.
-    pub fn from_hex(s: &str) -> Result<WitnessHash, WitnessParseError> {
-        if s.len() != 64 {
-            return Err(WitnessParseError::HashLength { found: s.len() });
-        }
-        let mut out = [0u8; 32];
-        for (i, byte) in out.iter_mut().enumerate() {
-            let lo = i * 2;
-            *byte = u8::from_str_radix(&s[lo..lo + 2], 16)
-                .map_err(|_| WitnessParseError::HashHex { at: lo })?;
-        }
-        Ok(WitnessHash(out))
-    }
-}
-
-/// A single witnessed event. Append-only — once committed to a
-/// `WitnessChain`, the fields here are immutable.
-#[derive(Debug, Clone, PartialEq, Eq)]
-pub struct WitnessEvent {
-    /// Zero-based sequence number. Strictly monotonically
-    /// increasing within a chain — gaps mean the chain was
-    /// truncated.
-    pub seq: u64,
-    /// Hash of the previous event, or [`WitnessHash::GENESIS`] for
-    /// the first.
-    pub prev_hash: WitnessHash,
-    /// Unix epoch seconds at append time. Caller-supplied so the
-    /// test suite isn't time-coupled; production uses
-    /// `SystemTime::now()`.
-    pub timestamp_unix_s: u64,
-    /// Short stable kind tag — e.g. `"fall_risk_elevated"`,
-    /// `"bed_exit"`, `"privacy_mode_toggled"`. Locked vocabulary
-    /// in the future; free-form here until the semantic-primitive
-    /// catalog stabilises.
-    pub kind: String,
-    /// Opaque payload bytes. Typically the JSON of the emitted MQTT
-    /// state message so an auditor can re-derive what HA was told.
-    pub payload: Vec<u8>,
-    /// Hash of *this* event, computed over canonical bytes that
-    /// include `prev_hash` — so reconstructing the chain proves
-    /// nothing in the past was rewritten.
-    pub this_hash: WitnessHash,
-}
-
-/// Compute the canonical-bytes form an event is hashed over.
-///
-/// The format is intentionally simple and length-prefixed so a
-/// future migration can be staged with a `version` byte in front
-/// without ambiguity:
-///
-/// ```text
-///   prev_hash[32] | seq:u64-be | ts:u64-be | kind_len:u32-be | kind | payload_len:u32-be | payload
-/// ```
-///
-/// Length-prefixing prevents the classic "concatenation forgery"
-/// attack where `"abc" + "def"` and `"ab" + "cdef"` would hash the
-/// same.
-pub fn canonical_bytes(
-    prev_hash: WitnessHash,
-    seq: u64,
-    timestamp_unix_s: u64,
-    kind: &str,
-    payload: &[u8],
-) -> Vec<u8> {
-    let kind_bytes = kind.as_bytes();
-    let mut out = Vec::with_capacity(32 + 8 + 8 + 4 + kind_bytes.len() + 4 + payload.len());
-    out.extend_from_slice(&prev_hash.0);
-    out.extend_from_slice(&seq.to_be_bytes());
-    out.extend_from_slice(&timestamp_unix_s.to_be_bytes());
-    out.extend_from_slice(&(kind_bytes.len() as u32).to_be_bytes());
-    out.extend_from_slice(kind_bytes);
-    out.extend_from_slice(&(payload.len() as u32).to_be_bytes());
-    out.extend_from_slice(payload);
-    out
-}
-
-/// Compute the SHA-256 hash for an event.
-pub fn hash_event(
-    prev_hash: WitnessHash,
-    seq: u64,
-    timestamp_unix_s: u64,
-    kind: &str,
-    payload: &[u8],
-) -> WitnessHash {
-    let mut h = Sha256::new();
-    h.update(canonical_bytes(prev_hash, seq, timestamp_unix_s, kind, payload));
-    let digest = h.finalize();
-    let mut out = [0u8; 32];
-    out.copy_from_slice(&digest);
-    WitnessHash(out)
-}
-
-/// In-memory append-only chain. Persistence (write to the Seed's
-/// `~/cognitum/witness/<cog>/events.jsonl`) is a separate concern
-/// kept out of this module.
-#[derive(Debug, Default, Clone)]
-pub struct WitnessChain {
-    events: Vec<WitnessEvent>,
-}
-
-impl WitnessChain {
-    pub fn new() -> Self {
-        Self::default()
-    }
-
-    /// Last committed hash, or `GENESIS` if the chain is empty.
-    pub fn tip(&self) -> WitnessHash {
-        self.events
-            .last()
-            .map(|e| e.this_hash)
-            .unwrap_or(WitnessHash::GENESIS)
-    }
-
-    pub fn len(&self) -> usize {
-        self.events.len()
-    }
-
-    pub fn is_empty(&self) -> bool {
-        self.events.is_empty()
-    }
-
-    /// Append a new event. Caller supplies the wall-clock so tests
-    /// stay deterministic.
-    pub fn append(&mut self, kind: &str, payload: &[u8], timestamp_unix_s: u64) -> &WitnessEvent {
-        let prev_hash = self.tip();
-        let seq = self.events.len() as u64;
-        let this_hash = hash_event(prev_hash, seq, timestamp_unix_s, kind, payload);
-        self.events.push(WitnessEvent {
-            seq,
-            prev_hash,
-            timestamp_unix_s,
-            kind: kind.to_string(),
-            payload: payload.to_vec(),
-            this_hash,
-        });
-        self.events.last().expect("just pushed")
-    }
-
-    pub fn events(&self) -> &[WitnessEvent] {
-        &self.events
-    }
-
-    /// Stream every event to a JSONL sink. Each event becomes one
-    /// line terminated by `\n`. Empty chains write zero bytes.
-    ///
-    /// The caller owns the writer — `File`, `BufWriter`, an
-    /// in-memory `Vec<u8>` for tests — so this method never
-    /// allocates beyond per-event line buffers.
-    pub fn write_jsonl<W: Write>(&self, w: &mut W) -> io::Result<()> {
-        for ev in &self.events {
-            w.write_all(ev.to_jsonl_line().as_bytes())?;
-            w.write_all(b"\n")?;
-        }
-        Ok(())
-    }
-
-    /// Read a JSONL audit bundle into a fresh `WitnessChain`. Each
-    /// non-empty line is parsed via `WitnessEvent::from_jsonl_line`
-    /// (which re-verifies the stored hash), then the loaded chain
-    /// is end-to-end verified via [`WitnessChain::verify`] to catch
-    /// out-of-order events or replayed prefixes.
-    ///
-    /// Bundle errors surface with their `line_no` (1-indexed) so an
-    /// auditor can point at the bad record.
-    pub fn read_jsonl<R: BufRead>(r: R) -> Result<WitnessChain, WitnessReadError> {
-        let mut chain = WitnessChain::new();
-        for (i, line_res) in r.lines().enumerate() {
-            let line_no = i + 1;
-            let line = line_res.map_err(|e| WitnessReadError::Io {
-                line_no,
-                msg: e.to_string(),
-            })?;
-            if line.trim().is_empty() {
-                continue; // tolerate blank lines / trailing \n
-            }
-            let ev = WitnessEvent::from_jsonl_line(&line)
-                .map_err(|source| WitnessReadError::Parse { line_no, source })?;
-            chain.events.push(ev);
-        }
-        chain
-            .verify()
-            .map_err(|source| WitnessReadError::Verify { source })?;
-        Ok(chain)
-    }
-
-    /// Verify every event's `this_hash` matches the canonical bytes,
-    /// every `prev_hash` matches the predecessor's `this_hash`, and
-    /// `seq` is gap-free starting at 0.
-    ///
-    /// Returns `Ok(())` on a sound chain or an `Err` with the first
-    /// failing index + reason — auditor-friendly.
-    pub fn verify(&self) -> Result<(), WitnessVerifyError> {
-        let mut prev = WitnessHash::GENESIS;
-        for (i, ev) in self.events.iter().enumerate() {
-            if ev.seq != i as u64 {
-                return Err(WitnessVerifyError::SeqGap { at: i, found: ev.seq });
-            }
-            if ev.prev_hash != prev {
-                return Err(WitnessVerifyError::PrevHashMismatch { at: i });
-            }
-            let recomputed = hash_event(
-                ev.prev_hash,
-                ev.seq,
-                ev.timestamp_unix_s,
-                &ev.kind,
-                &ev.payload,
-            );
-            if recomputed != ev.this_hash {
-                return Err(WitnessVerifyError::HashMismatch { at: i });
-            }
-            prev = ev.this_hash;
-        }
-        Ok(())
-    }
-}
-
-#[derive(Debug, Clone, PartialEq, Eq, thiserror::Error)]
-pub enum WitnessVerifyError {
-    #[error("seq gap at index {at}: expected {at}, found {found}")]
-    SeqGap { at: usize, found: u64 },
-    #[error("prev_hash mismatch at index {at}")]
-    PrevHashMismatch { at: usize },
-    #[error("this_hash mismatch at index {at} — event tampered")]
-    HashMismatch { at: usize },
-}
-
-#[derive(Debug, thiserror::Error)]
-pub enum WitnessReadError {
-    #[error("io error at line {line_no}: {msg}")]
-    Io { line_no: usize, msg: String },
-    #[error("parse error at line {line_no}: {source}")]
-    Parse {
-        line_no: usize,
-        #[source]
-        source: WitnessParseError,
-    },
-    #[error("chain-level verify failed: {source}")]
-    Verify {
-        #[source]
-        source: WitnessVerifyError,
-    },
-}
-
-#[derive(Debug, Clone, PartialEq, Eq, thiserror::Error)]
-pub enum WitnessParseError {
-    #[error("invalid JSON: {0}")]
-    Json(String),
-    #[error("missing required field `{0}`")]
-    MissingField(&'static str),
-    #[error("field `{field}` has wrong type")]
-    WrongType { field: &'static str },
-    #[error("hash hex must be 64 chars, got {found}")]
-    HashLength { found: usize },
-    #[error("hash hex parse error at byte offset {at}")]
-    HashHex { at: usize },
-    #[error("payload hex parse error at byte offset {at}")]
-    PayloadHex { at: usize },
-    #[error("payload hex must be even length, got {found}")]
-    PayloadLength { found: usize },
-    #[error("recomputed hash does not match this_hash — bundle is forged or corrupted")]
-    HashMismatch,
-}
-
-fn hex_encode(bytes: &[u8]) -> String {
-    let mut s = String::with_capacity(bytes.len() * 2);
-    for b in bytes {
-        s.push_str(&format!("{b:02x}"));
-    }
-    s
-}
-
-fn hex_decode(s: &str) -> Result<Vec<u8>, WitnessParseError> {
-    if s.len() % 2 != 0 {
-        return Err(WitnessParseError::PayloadLength { found: s.len() });
-    }
-    let mut out = Vec::with_capacity(s.len() / 2);
-    for i in (0..s.len()).step_by(2) {
-        let byte = u8::from_str_radix(&s[i..i + 2], 16)
-            .map_err(|_| WitnessParseError::PayloadHex { at: i })?;
-        out.push(byte);
-    }
-    Ok(out)
-}
-
-impl WitnessEvent {
-    /// Serialize one event to a single JSONL line (no trailing
-    /// newline). The format is the audit-bundle wire shape; tools
-    /// downstream parse it line-by-line with [`Self::from_jsonl_line`].
-    ///
-    /// Field ordering is locked alphabetically for byte-stable
-    /// output across rebuilds — auditors hash whole bundles, so a
-    /// rebuild that reordered fields would silently invalidate
-    /// archival hashes.
-    ///
-    /// Wire shape:
-    ///
-    /// ```json
-    /// {"kind":"...","payload_hex":"...","prev_hash":"...","seq":N,"this_hash":"...","timestamp_unix_s":N}
-    /// ```
-    pub fn to_jsonl_line(&self) -> String {
-        // Hand-rolled instead of serde_derive so the wire-format
-        // ordering is under direct test control.
-        format!(
-            "{{\"kind\":{kind},\"payload_hex\":\"{payload}\",\"prev_hash\":\"{prev}\",\"seq\":{seq},\"this_hash\":\"{this}\",\"timestamp_unix_s\":{ts}}}",
-            kind = serde_json::to_string(&self.kind).expect("string is always serializable"),
-            payload = hex_encode(&self.payload),
-            prev = self.prev_hash.to_hex(),
-            seq = self.seq,
-            this = self.this_hash.to_hex(),
-            ts = self.timestamp_unix_s,
-        )
-    }
-
-    /// Parse one JSONL line back into a `WitnessEvent`. Re-verifies
-    /// the stored `this_hash` against the canonical bytes — a
-    /// tampered bundle fires [`WitnessParseError::HashMismatch`]
-    /// instead of silently loading forged events.
-    pub fn from_jsonl_line(line: &str) -> Result<WitnessEvent, WitnessParseError> {
-        let v: serde_json::Value =
-            serde_json::from_str(line).map_err(|e| WitnessParseError::Json(e.to_string()))?;
-        let obj = v
-            .as_object()
-            .ok_or(WitnessParseError::WrongType { field: "<root>" })?;
-
-        let seq = obj
-            .get("seq")
-            .ok_or(WitnessParseError::MissingField("seq"))?
-            .as_u64()
-            .ok_or(WitnessParseError::WrongType { field: "seq" })?;
-        let timestamp_unix_s = obj
-            .get("timestamp_unix_s")
-            .ok_or(WitnessParseError::MissingField("timestamp_unix_s"))?
-            .as_u64()
-            .ok_or(WitnessParseError::WrongType {
-                field: "timestamp_unix_s",
-            })?;
-        let kind = obj
-            .get("kind")
-            .ok_or(WitnessParseError::MissingField("kind"))?
-            .as_str()
-            .ok_or(WitnessParseError::WrongType { field: "kind" })?
-            .to_string();
-        let prev_hash = WitnessHash::from_hex(
-            obj.get("prev_hash")
-                .ok_or(WitnessParseError::MissingField("prev_hash"))?
-                .as_str()
-                .ok_or(WitnessParseError::WrongType { field: "prev_hash" })?,
-        )?;
-        let this_hash = WitnessHash::from_hex(
-            obj.get("this_hash")
-                .ok_or(WitnessParseError::MissingField("this_hash"))?
-                .as_str()
-                .ok_or(WitnessParseError::WrongType { field: "this_hash" })?,
-        )?;
-        let payload = hex_decode(
-            obj.get("payload_hex")
-                .ok_or(WitnessParseError::MissingField("payload_hex"))?
-                .as_str()
-                .ok_or(WitnessParseError::WrongType {
-                    field: "payload_hex",
-                })?,
-        )?;
-
-        // Re-verify the stored hash. The on-disk hash is purely
-        // declarative; this is what makes the JSONL a witness.
-        let recomputed = hash_event(prev_hash, seq, timestamp_unix_s, &kind, &payload);
-        if recomputed != this_hash {
-            return Err(WitnessParseError::HashMismatch);
-        }
-
-        Ok(WitnessEvent {
-            seq,
-            prev_hash,
-            timestamp_unix_s,
-            kind,
-            payload,
-            this_hash,
-        })
-    }
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-
-    #[test]
-    fn genesis_hash_is_all_zeros() {
-        assert_eq!(WitnessHash::GENESIS.0, [0u8; 32]);
-    }
-
-    #[test]
-    fn empty_chain_tip_is_genesis() {
-        let c = WitnessChain::new();
-        assert_eq!(c.tip(), WitnessHash::GENESIS);
-        assert!(c.is_empty());
-    }
-
-    #[test]
-    fn canonical_bytes_length_prefixing_prevents_ambiguity() {
-        // Classic concatenation forgery: without length prefixes,
-        // ("abc","def") and ("ab","cdef") would produce the same
-        // hash. With them, they don't.
-        let a = canonical_bytes(WitnessHash::GENESIS, 0, 0, "abc", b"def");
-        let b = canonical_bytes(WitnessHash::GENESIS, 0, 0, "ab", b"cdef");
-        assert_ne!(a, b);
-    }
-
-    #[test]
-    fn canonical_bytes_starts_with_prev_hash() {
-        // Locks the on-wire format. A future migration that flips
-        // field order must bump a version byte and update this test.
-        let bytes = canonical_bytes(WitnessHash([7u8; 32]), 1, 2, "k", b"p");
-        assert_eq!(&bytes[..32], &[7u8; 32]);
-    }
-
-    #[test]
-    fn append_links_to_prev_hash() {
-        let mut c = WitnessChain::new();
-        let h1 = c.append("a", b"1", 100).this_hash;
-        let e2 = c.append("b", b"2", 101);
-        assert_eq!(e2.prev_hash, h1);
-        assert_eq!(e2.seq, 1);
-    }
-
-    #[test]
-    fn sequence_is_monotonic_starting_at_zero() {
-        let mut c = WitnessChain::new();
-        for i in 0..5 {
-            c.append("k", &[i], 0);
-        }
-        for (i, ev) in c.events().iter().enumerate() {
-            assert_eq!(ev.seq, i as u64);
-        }
-    }
-
-    #[test]
-    fn verify_passes_on_clean_chain() {
-        let mut c = WitnessChain::new();
-        c.append("fall_risk_elevated", b"{}", 100);
-        c.append("bed_exit", b"{}", 101);
-        c.append("privacy_mode_toggled", br#"{"on":true}"#, 102);
-        c.verify().expect("clean chain verifies");
-    }
-
-    #[test]
-    fn verify_catches_tampered_payload() {
-        let mut c = WitnessChain::new();
-        c.append("a", b"original", 100);
-        c.append("b", b"original2", 101);
-        // Tamper with event 0's payload directly.
-        c.events[0].payload = b"forged".to_vec();
-        let err = c.verify().unwrap_err();
-        assert!(matches!(err, WitnessVerifyError::HashMismatch { at: 0 }));
-    }
-
-    #[test]
-    fn verify_catches_broken_prev_link() {
-        let mut c = WitnessChain::new();
-        c.append("a", b"1", 100);
-        c.append("b", b"2", 101);
-        c.events[1].prev_hash = WitnessHash([0xff; 32]);
-        let err = c.verify().unwrap_err();
-        assert!(matches!(err, WitnessVerifyError::PrevHashMismatch { at: 1 }));
-    }
-
-    #[test]
-    fn verify_catches_seq_gap() {
-        let mut c = WitnessChain::new();
-        c.append("a", b"1", 100);
-        c.append("b", b"2", 101);
-        c.events[1].seq = 99;
-        let err = c.verify().unwrap_err();
-        assert!(matches!(err, WitnessVerifyError::SeqGap { at: 1, found: 99 }));
-    }
-
-    #[test]
-    fn hash_to_hex_is_64_lowercase_chars() {
-        let h = hash_event(WitnessHash::GENESIS, 0, 0, "k", b"p");
-        let hex = h.to_hex();
-        assert_eq!(hex.len(), 64);
-        assert!(hex.chars().all(|c| c.is_ascii_hexdigit() && !c.is_ascii_uppercase()));
-    }
-
-    #[test]
-    fn first_event_prev_hash_is_genesis() {
-        // Auditor relies on this: a witness bundle that doesn't start
-        // with prev_hash == GENESIS is either truncated or stitched
-        // together from two chains.
-        let mut c = WitnessChain::new();
-        let e = c.append("init", b"", 0);
-        assert_eq!(e.prev_hash, WitnessHash::GENESIS);
-        assert_eq!(e.seq, 0);
-    }
-
-    #[test]
-    fn different_payloads_produce_different_hashes() {
-        let h1 = hash_event(WitnessHash::GENESIS, 0, 100, "k", b"a");
-        let h2 = hash_event(WitnessHash::GENESIS, 0, 100, "k", b"b");
-        assert_ne!(h1, h2);
-    }
-
-    // ---- JSONL persistence ----
-
-    fn fresh_event() -> WitnessEvent {
-        let mut c = WitnessChain::new();
-        c.append("fall_risk_elevated", br#"{"node":"kitchen"}"#, 1779512400);
-        c.events()[0].clone()
-    }
-
-    #[test]
-    fn jsonl_round_trip_preserves_all_fields() {
-        let original = fresh_event();
-        let line = original.to_jsonl_line();
-        let parsed = WitnessEvent::from_jsonl_line(&line).expect("clean line round-trips");
-        assert_eq!(parsed, original);
-    }
-
-    #[test]
-    fn jsonl_line_has_no_embedded_newline() {
-        // JSONL is one record per line; an embedded \n in the
-        // serialized form would corrupt the file format.
-        let line = fresh_event().to_jsonl_line();
-        assert!(!line.contains('\n'));
-        assert!(!line.contains('\r'));
-    }
-
-    #[test]
-    fn jsonl_field_order_is_alphabetical_for_byte_stability() {
-        // Auditors archive whole bundles and hash them — reordered
-        // fields would silently invalidate archival hashes. Lock
-        // the order with a substring check on a known event.
-        let line = fresh_event().to_jsonl_line();
-        let order = ["kind", "payload_hex", "prev_hash", "seq", "this_hash", "timestamp_unix_s"];
-        let mut last = 0usize;
-        for field in order {
-            let pos = line.find(field).unwrap_or_else(|| panic!("missing field `{field}`"));
-            assert!(pos > last, "field `{field}` out of alphabetical order");
-            last = pos;
-        }
-    }
-
-    #[test]
-    fn jsonl_parser_rejects_tampered_payload() {
-        let original = fresh_event();
-        let line = original.to_jsonl_line();
-        // Flip one nibble in the payload hex — the stored hash
-        // won't match the recomputed hash.
-        let tampered = line.replacen("payload_hex\":\"7b", "payload_hex\":\"6b", 1);
-        assert_ne!(line, tampered, "test fixture didn't flip a byte");
-        let err = WitnessEvent::from_jsonl_line(&tampered).unwrap_err();
-        assert!(
-            matches!(err, WitnessParseError::HashMismatch),
-            "expected HashMismatch, got {err:?}"
-        );
-    }
-
-    #[test]
-    fn jsonl_parser_rejects_non_hex_hash() {
-        // Replace the hex hash with non-hex chars — must fire a
-        // structured error, not a panic.
-        let original = fresh_event();
-        let line = original.to_jsonl_line();
-        let broken = line.replacen(
-            &original.this_hash.to_hex()[..4],
-            "ZZZZ",
-            1,
-        );
-        let err = WitnessEvent::from_jsonl_line(&broken).unwrap_err();
-        assert!(matches!(err, WitnessParseError::HashHex { .. }));
-    }
-
-    #[test]
-    fn jsonl_parser_rejects_missing_field() {
-        let bad = r#"{"seq":0,"kind":"k","prev_hash":"00","this_hash":"00","timestamp_unix_s":1}"#;
-        let err = WitnessEvent::from_jsonl_line(bad).unwrap_err();
-        // Missing payload_hex; should fire MissingField before any
-        // hex decode happens.
-        assert!(matches!(err, WitnessParseError::MissingField("payload_hex")
-            | WitnessParseError::HashLength { .. }));
-    }
-
-    #[test]
-    fn hex_encode_decode_round_trip() {
-        let cases: &[&[u8]] = &[
-            b"",
-            b"\x00",
-            b"\xff",
-            b"hello world",
-            &[0x00, 0x01, 0xab, 0xcd, 0xef],
-        ];
-        for c in cases {
-            let encoded = hex_encode(c);
-            let decoded = hex_decode(&encoded).unwrap();
-            assert_eq!(&decoded[..], *c, "round-trip failed for {c:?}");
-        }
-    }
-
-    #[test]
-    fn hex_decode_rejects_odd_length() {
-        let err = hex_decode("abc").unwrap_err();
-        assert!(matches!(err, WitnessParseError::PayloadLength { found: 3 }));
-    }
-
-    #[test]
-    fn witness_hash_from_hex_round_trip() {
-        let h = WitnessHash([0x12; 32]);
-        let hex = h.to_hex();
-        let parsed = WitnessHash::from_hex(&hex).unwrap();
-        assert_eq!(parsed, h);
-    }
-
-    #[test]
-    fn witness_hash_from_hex_rejects_wrong_length() {
-        let err = WitnessHash::from_hex("ab").unwrap_err();
-        assert!(matches!(err, WitnessParseError::HashLength { found: 2 }));
-    }
-
-    // ---- file persistence (write_jsonl / read_jsonl) ----
-
-    #[test]
-    fn write_jsonl_empty_chain_writes_zero_bytes() {
-        let c = WitnessChain::new();
-        let mut buf = Vec::new();
-        c.write_jsonl(&mut buf).unwrap();
-        assert_eq!(buf, b"");
-    }
-
-    #[test]
-    fn write_then_read_round_trips_multi_event_chain() {
-        let mut written = WitnessChain::new();
-        written.append("a", b"first", 100);
-        written.append("b", b"second", 101);
-        written.append("c", br#"{"x":1}"#, 102);
-
-        let mut buf = Vec::new();
-        written.write_jsonl(&mut buf).unwrap();
-
-        let read_back = WitnessChain::read_jsonl(buf.as_slice()).unwrap();
-        assert_eq!(read_back.len(), 3);
-        assert_eq!(read_back.events(), written.events());
-        assert_eq!(read_back.tip(), written.tip());
-    }
-
-    #[test]
-    fn write_jsonl_separates_events_with_newline() {
-        let mut c = WitnessChain::new();
-        c.append("a", b"1", 100);
-        c.append("b", b"2", 101);
-        let mut buf = Vec::new();
-        c.write_jsonl(&mut buf).unwrap();
-        let s = std::str::from_utf8(&buf).unwrap();
-        // Exactly N newlines for N events.
-        assert_eq!(s.matches('\n').count(), 2);
-        assert!(s.ends_with('\n'));
-    }
-
-    #[test]
-    fn read_jsonl_tolerates_blank_lines() {
-        let mut c = WitnessChain::new();
-        c.append("a", b"1", 100);
-        c.append("b", b"2", 101);
-        let mut buf = Vec::new();
-        c.write_jsonl(&mut buf).unwrap();
-        // Inject blanks — sometimes happens when files are edited.
-        let with_blanks = format!(
-            "\n{}\n\n",
-            std::str::from_utf8(&buf).unwrap().trim_end()
-        );
-        let read = WitnessChain::read_jsonl(with_blanks.as_bytes()).unwrap();
-        assert_eq!(read.len(), 2);
-    }
-
-    #[test]
-    fn read_jsonl_surfaces_line_no_on_parse_error() {
-        // Two good events, then one with a flipped payload byte.
-        let mut c = WitnessChain::new();
-        c.append("a", b"1", 100);
-        c.append("b", b"2", 101);
-        let mut buf = Vec::new();
-        c.write_jsonl(&mut buf).unwrap();
-        let mut text = String::from_utf8(buf).unwrap();
-        let forged = c.events()[0].to_jsonl_line().replacen(
-            "payload_hex\":\"31",
-            "payload_hex\":\"32",
-            1,
-        );
-        text.push_str(&forged);
-        text.push('\n');
-
-        let err = WitnessChain::read_jsonl(text.as_bytes()).unwrap_err();
-        match err {
-            WitnessReadError::Parse { line_no, .. } => assert_eq!(line_no, 3),
-            other => panic!("expected Parse error at line 3, got {other:?}"),
-        }
-    }
-
-    #[test]
-    fn read_jsonl_chain_verify_catches_reordered_events() {
-        // Build a chain, then write it out with the events swapped.
-        // Each individual event still verifies its own hash (because
-        // its prev_hash is internally consistent with what *it*
-        // claimed), but the cross-event chain check fires.
-        let mut original = WitnessChain::new();
-        original.append("a", b"1", 100);
-        original.append("b", b"2", 101);
-        let mut buf = Vec::new();
-        original.write_jsonl(&mut buf).unwrap();
-        let lines: Vec<&[u8]> = buf.split(|&b| b == b'\n').filter(|s| !s.is_empty()).collect();
-        // Reverse order, send through reader.
-        let mut reversed: Vec<u8> = Vec::new();
-        reversed.extend_from_slice(lines[1]);
-        reversed.push(b'\n');
-        reversed.extend_from_slice(lines[0]);
-        reversed.push(b'\n');
-        let err = WitnessChain::read_jsonl(reversed.as_slice()).unwrap_err();
-        assert!(matches!(err, WitnessReadError::Verify { .. }));
-    }
-
-    #[test]
-    fn read_jsonl_no_trailing_newline_still_works() {
-        // BufRead's lines() handles the no-final-newline case; lock
-        // the behavior so a future swap to a different reader can't
-        // silently truncate the last event.
-        let mut c = WitnessChain::new();
-        c.append("only", b"x", 100);
-        let mut buf = Vec::new();
-        c.write_jsonl(&mut buf).unwrap();
-        // Strip the trailing \n.
-        if buf.last() == Some(&b'\n') {
-            buf.pop();
-        }
-        let read = WitnessChain::read_jsonl(buf.as_slice()).unwrap();
-        assert_eq!(read.len(), 1);
-    }
-}
@@ -1,231 +0,0 @@
-//! `witness_signing` — Ed25519 signature layer over the witness chain.
-//!
-//! ADR-116 §2.2: every state transition must be signed by the
-//! Seed so a downstream auditor can prove the chain wasn't
-//! retroactively assembled. The chain primitive
-//! (`witness::WitnessChain`) handles hash linkage; this module
-//! adds the cryptographic attestation.
-//!
-//! Kept in a separate module from the chain itself so:
-//!
-//!   * the hash chain stays usable without `ed25519-dalek` linked
-//!     in (good for the `wasm32-unknown-unknown` cog variant we'll
-//!     ship for browser-side audit verification),
-//!   * key rotation invalidates *signatures* but not the chain —
-//!     the auditor only needs the new public key to re-verify,
-//!   * the signing surface stays small enough to audit in one
-//!     read.
-//!
-//! ## What gets signed
-//!
-//! `sign_event(event, key)` signs the same canonical byte form
-//! that `witness::hash_event` hashes. That means:
-//!
-//!   1. A signature commits to the entire event (kind, payload,
-//!      timestamp, seq, prev_hash) — no field can be retroactively
-//!      changed without invalidating both the hash AND the
-//!      signature.
-//!   2. The signature implicitly commits to the *chain position*
-//!      via `prev_hash` — splicing a signed event into a different
-//!      chain breaks verification.
-//!
-//! ## Key management
-//!
-//! Out of scope for this module. The cog runtime reads the Seed's
-//! Ed25519 signing key from the Cognitum control plane's secure
-//! key store (separate concern). Tests use a fixed-bytes seed for
-//! determinism — never check in real Seed keys here.
-
-use ed25519_dalek::{Signature, Signer, SigningKey, Verifier, VerifyingKey};
-
-use crate::witness::{canonical_bytes, WitnessEvent};
-
-/// Sign a witness event with the Seed's Ed25519 key. Returns the
-/// 64-byte Ed25519 signature over the event's canonical bytes —
-/// the same bytes `witness::hash_event` hashes, so a verifier that
-/// already trusts the hash chain only needs one extra check.
-pub fn sign_event(event: &WitnessEvent, key: &SigningKey) -> Signature {
-    let bytes = canonical_bytes(
-        event.prev_hash,
-        event.seq,
-        event.timestamp_unix_s,
-        &event.kind,
-        &event.payload,
-    );
-    key.sign(&bytes)
-}
-
-/// Verify an Ed25519 signature against a witness event using the
-/// Seed's public key. `Ok(())` iff the signature is valid for the
-/// event's canonical bytes under this key.
-pub fn verify_signature(
-    event: &WitnessEvent,
-    signature: &Signature,
-    public_key: &VerifyingKey,
-) -> Result<(), SignatureVerifyError> {
-    let bytes = canonical_bytes(
-        event.prev_hash,
-        event.seq,
-        event.timestamp_unix_s,
-        &event.kind,
-        &event.payload,
-    );
-    public_key
-        .verify(&bytes, signature)
-        .map_err(|_| SignatureVerifyError::Invalid)
-}
-
-#[derive(Debug, Clone, PartialEq, Eq, thiserror::Error)]
-pub enum SignatureVerifyError {
-    #[error("Ed25519 signature does not match event under this public key")]
-    Invalid,
-}
-
-/// Encode a signature as 128 hex chars (no `0x` prefix). Matches the
-/// hex convention the rest of the witness wire format uses.
-pub fn signature_to_hex(sig: &Signature) -> String {
-    let bytes = sig.to_bytes();
-    let mut s = String::with_capacity(128);
-    for b in bytes {
-        s.push_str(&format!("{b:02x}"));
-    }
-    s
-}
-
-/// Parse a 128-char lowercase-hex string back into a `Signature`.
-pub fn signature_from_hex(s: &str) -> Result<Signature, SignatureParseError> {
-    if s.len() != 128 {
-        return Err(SignatureParseError::Length { found: s.len() });
-    }
-    let mut bytes = [0u8; 64];
-    for (i, byte) in bytes.iter_mut().enumerate() {
-        let lo = i * 2;
-        *byte = u8::from_str_radix(&s[lo..lo + 2], 16)
-            .map_err(|_| SignatureParseError::Hex { at: lo })?;
-    }
-    Ok(Signature::from_bytes(&bytes))
-}
-
-#[derive(Debug, Clone, PartialEq, Eq, thiserror::Error)]
-pub enum SignatureParseError {
-    #[error("signature hex must be 128 chars, got {found}")]
-    Length { found: usize },
-    #[error("signature hex parse error at byte offset {at}")]
-    Hex { at: usize },
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-    use crate::witness::{WitnessChain, WitnessHash};
-
-    fn fixed_key() -> SigningKey {
-        // Deterministic test key — DO NOT use in production. The
-        // seed is `b"cog-ha-matter-unit-tests--------"` (32 bytes).
-        SigningKey::from_bytes(b"cog-ha-matter-unit-tests--------")
-    }
-
-    fn fresh_event() -> WitnessEvent {
-        let mut c = WitnessChain::new();
-        c.append("fall_risk_elevated", br#"{"node":"kitchen"}"#, 1779512400);
-        c.events()[0].clone()
-    }
-
-    #[test]
-    fn sign_and_verify_round_trip() {
-        let key = fixed_key();
-        let public = key.verifying_key();
-        let event = fresh_event();
-        let sig = sign_event(&event, &key);
-        verify_signature(&event, &sig, &public).expect("clean signature verifies");
-    }
-
-    #[test]
-    fn verify_rejects_signature_under_wrong_key() {
-        let key = fixed_key();
-        let other = SigningKey::from_bytes(b"different-key-different-key-----");
-        let event = fresh_event();
-        let sig = sign_event(&event, &key);
-        // Same event, signature from `key`, but verify under `other`'s
-        // public key — must fail.
-        let err = verify_signature(&event, &sig, &other.verifying_key()).unwrap_err();
-        assert_eq!(err, SignatureVerifyError::Invalid);
-    }
-
-    #[test]
-    fn verify_rejects_tampered_event() {
-        // Sign one event, then mutate the payload and verify the
-        // *mutated* event under the same signature. Must fail.
-        let key = fixed_key();
-        let public = key.verifying_key();
-        let mut event = fresh_event();
-        let sig = sign_event(&event, &key);
-        event.payload = b"forged-after-sign".to_vec();
-        let err = verify_signature(&event, &sig, &public).unwrap_err();
-        assert_eq!(err, SignatureVerifyError::Invalid);
-    }
-
-    #[test]
-    fn verify_rejects_event_with_wrong_prev_hash() {
-        // Same payload + kind, but the event claims a different
-        // chain position. Cryptographically bound to prev_hash via
-        // canonical bytes.
-        let key = fixed_key();
-        let public = key.verifying_key();
-        let mut event = fresh_event();
-        let sig = sign_event(&event, &key);
-        event.prev_hash = WitnessHash([0x77; 32]);
-        let err = verify_signature(&event, &sig, &public).unwrap_err();
-        assert_eq!(err, SignatureVerifyError::Invalid);
-    }
-
-    #[test]
-    fn signature_hex_round_trip() {
-        let key = fixed_key();
-        let event = fresh_event();
-        let sig = sign_event(&event, &key);
-        let hex = signature_to_hex(&sig);
-        assert_eq!(hex.len(), 128);
-        assert!(hex.chars().all(|c| c.is_ascii_hexdigit() && !c.is_ascii_uppercase()));
-        let parsed = signature_from_hex(&hex).unwrap();
-        assert_eq!(parsed.to_bytes(), sig.to_bytes());
-    }
-
-    #[test]
-    fn signature_from_hex_rejects_wrong_length() {
-        let err = signature_from_hex("abcd").unwrap_err();
-        assert_eq!(err, SignatureParseError::Length { found: 4 });
-    }
-
-    #[test]
-    fn signature_from_hex_rejects_non_hex() {
-        // 128 chars but non-hex.
-        let bad = "Z".repeat(128);
-        let err = signature_from_hex(&bad).unwrap_err();
-        assert!(matches!(err, SignatureParseError::Hex { at: 0 }));
-    }
-
-    #[test]
-    fn signature_is_deterministic_for_same_event_and_key() {
-        // Ed25519 is deterministic; locking this means a future
-        // accidental switch to a randomized scheme (RustCrypto's
-        // optional rand-based API) fires a named test.
-        let key = fixed_key();
-        let event = fresh_event();
-        let sig1 = sign_event(&event, &key);
-        let sig2 = sign_event(&event, &key);
-        assert_eq!(sig1.to_bytes(), sig2.to_bytes());
-    }
-
-    #[test]
-    fn different_events_produce_different_signatures() {
-        let key = fixed_key();
-        let mut a = fresh_event();
-        let mut b = fresh_event();
-        a.payload = b"a".to_vec();
-        b.payload = b"b".to_vec();
-        let sig_a = sign_event(&a, &key);
-        let sig_b = sign_event(&b, &key);
-        assert_ne!(sig_a.to_bytes(), sig_b.to_bytes());
-    }
-}
@@ -92,17 +92,3 @@ matter = []
 tempfile = "3.10"
 # `tower::ServiceExt::oneshot` for in-process Router tests (bearer_auth).
 tower = { workspace = true }
-# ADR-115 P9 — micro-benchmarks for MQTT hot paths + semantic bus.
-# Heavy dep tree (~80 transitive crates) so it's dev-only; benches live
-# behind --features mqtt because they bench the mqtt module.
-criterion = { version = "0.5", features = ["html_reports"] }
-# ADR-115 P9 — property-based fuzzing for the wire-boundary security
-# audit. Catches edge cases the example-based unit tests would miss
-# (random Unicode, control chars, etc.). Pinned to a small version that
-# doesn't pull in proptest-derive (we don't need it).
-proptest = { version = "1.5", default-features = false, features = ["std"] }
-
-[[bench]]
-name = "mqtt_throughput"
-harness = false
-required-features = ["mqtt"]
@@ -1,193 +0,0 @@
-//! ADR-115 P9 — MQTT pipeline throughput micro-benchmark.
-//!
-//! Measures the hot-path cost of:
-//!   - Building a HA discovery payload (`DiscoveryBuilder::build`)
-//!   - Encoding a numeric state message (`StateEncoder::numeric`)
-//!   - Rate-limit decision (`RateLimiter::allow`)
-//!   - Privacy filter (`privacy::decide`)
-//!   - Full bus tick across all 10 semantic primitives
-//!
-//! Targets (laptop-class, single-threaded, release build):
-//!   - discovery payload: < 5 µs
-//!   - state encode:      < 2 µs
-//!   - rate limit:        < 100 ns
-//!   - privacy decide:    < 50 ns
-//!   - bus tick (10 prim):< 10 µs
-//!
-//! The bench is intentionally feature-gated so the default workspace
-//! build doesn't pull `criterion` in (it has a big-ish dep tree).
-//!
-//! Run with:
-//!   cargo bench -p wifi-densepose-sensing-server --bench mqtt_throughput
-
-#![cfg(feature = "mqtt")]
-
-use std::time::Duration;
-
-use criterion::{black_box, criterion_group, criterion_main, BatchSize, Criterion};
-
-use wifi_densepose_sensing_server::mqtt::{
-    config::PublishRates,
-    discovery::{DiscoveryBuilder, EntityKind},
-    privacy::decide,
-    state::{RateLimiter, StateEncoder, VitalsSnapshot},
-};
-use wifi_densepose_sensing_server::semantic::{PrimitiveConfig, RawSnapshot, SemanticBus};
-
-fn builder() -> DiscoveryBuilder<'static> {
-    DiscoveryBuilder {
-        discovery_prefix: "homeassistant",
-        node_id: "aabbccddeeff",
-        node_friendly_name: Some("Bedroom"),
-        sw_version: "v0.7.0",
-        model: "ESP32-S3 CSI node",
-        via_device: Some("cognitum_seed_1"),
-    }
-}
-
-fn snap() -> VitalsSnapshot {
-    VitalsSnapshot {
-        node_id: "aabbccddeeff".into(),
-        timestamp_ms: 1779_512_400_000,
-        presence: true,
-        fall_detected: false,
-        motion: 0.35,
-        motion_energy: 1234.5,
-        presence_score: 0.91,
-        breathing_rate_bpm: Some(14.2),
-        heartrate_bpm: Some(68.2),
-        n_persons: 1,
-        rssi_dbm: Some(-52.0),
-        vital_confidence: 0.87,
-    }
-}
-
-fn raw_snap() -> RawSnapshot {
-    RawSnapshot {
-        node_id: "aabbccddeeff".into(),
-        since_start: Duration::from_secs(120),
-        timestamp_ms: 1779_512_400_000,
-        presence: true,
-        fall_detected: false,
-        motion: 0.35,
-        motion_energy: 1234.5,
-        breathing_rate_bpm: Some(14.2),
-        heart_rate_bpm: Some(68.2),
-        n_persons: 1,
-        rssi_dbm: Some(-52.0),
-        vital_confidence: 0.87,
-        active_zones: vec!["bathroom".into()],
-        bed_zones: vec!["bedroom".into()],
-        local_seconds_since_midnight: 2 * 3600,
-    }
-}
-
-fn rates() -> PublishRates {
-    PublishRates::default()
-}
-
-fn bench_discovery_payload(c: &mut Criterion) {
-    let b = builder();
-    c.bench_function("discovery::build_presence", |bench| {
-        bench.iter(|| {
-            let cfg = b.build(black_box(EntityKind::Presence));
-            black_box(serde_json::to_string(&cfg).unwrap())
-        });
-    });
-    c.bench_function("discovery::build_heart_rate", |bench| {
-        bench.iter(|| {
-            let cfg = b.build(black_box(EntityKind::HeartRate));
-            black_box(serde_json::to_string(&cfg).unwrap())
-        });
-    });
-    c.bench_function("discovery::build_fall_event", |bench| {
-        bench.iter(|| {
-            let cfg = b.build(black_box(EntityKind::FallDetected));
-            black_box(serde_json::to_string(&cfg).unwrap())
-        });
-    });
-}
-
-fn bench_state_encode(c: &mut Criterion) {
-    let b = builder();
-    let s = snap();
-    let enc = StateEncoder { builder: &b };
-    c.bench_function("state::numeric_heart_rate", |bench| {
-        bench.iter(|| {
-            black_box(enc.numeric(EntityKind::HeartRate, &s).unwrap())
-        });
-    });
-    c.bench_function("state::boolean_presence", |bench| {
-        bench.iter(|| {
-            black_box(enc.boolean(EntityKind::Presence, true).unwrap())
-        });
-    });
-    c.bench_function("state::event_fall", |bench| {
-        bench.iter(|| {
-            black_box(enc.event(EntityKind::FallDetected, "fall_detected", 0, Some(0.87)).unwrap())
-        });
-    });
-}
-
-fn bench_rate_limit(c: &mut Criterion) {
-    let r = rates();
-    c.bench_function("rate_limiter::allow_first", |bench| {
-        bench.iter_batched(
-            RateLimiter::new,
-            |mut rl| {
-                black_box(rl.allow(
-                    black_box(EntityKind::HeartRate),
-                    Duration::from_secs(0),
-                    &r,
-                ))
-            },
-            BatchSize::SmallInput,
-        );
-    });
-    c.bench_function("rate_limiter::allow_within_gap", |bench| {
-        bench.iter_batched(
-            || {
-                let mut rl = RateLimiter::new();
-                rl.allow(EntityKind::HeartRate, Duration::from_secs(0), &r);
-                rl
-            },
-            |mut rl| {
-                black_box(rl.allow(
-                    black_box(EntityKind::HeartRate),
-                    Duration::from_secs(1),
-                    &r,
-                ))
-            },
-            BatchSize::SmallInput,
-        );
-    });
-}
-
-fn bench_privacy(c: &mut Criterion) {
-    c.bench_function("privacy::decide_hr_strip", |bench| {
-        bench.iter(|| black_box(decide(EntityKind::HeartRate, true)));
-    });
-    c.bench_function("privacy::decide_presence_keep", |bench| {
-        bench.iter(|| black_box(decide(EntityKind::Presence, true)));
-    });
-}
-
-fn bench_semantic_bus(c: &mut Criterion) {
-    c.bench_function("semantic::bus_tick_all_10_primitives", |bench| {
-        bench.iter_batched(
-            || (SemanticBus::new(PrimitiveConfig::default()), raw_snap()),
-            |(mut bus, s)| black_box(bus.tick(&s)),
-            BatchSize::SmallInput,
-        );
-    });
-}
-
-criterion_group!(
-    benches,
-    bench_discovery_payload,
-    bench_state_encode,
-    bench_rate_limit,
-    bench_privacy,
-    bench_semantic_bus,
-);
-criterion_main!(benches);
@@ -1,143 +0,0 @@
-//! ADR-115 P6 — minimal runnable example wiring the MQTT publisher
-//! against a broadcast channel of `VitalsSnapshot`s.
-//!
-//! Run with:
-//!     cargo run --release -p wifi-densepose-sensing-server \
-//!         --features mqtt --example mqtt_publisher -- \
-//!         --mqtt --mqtt-host 127.0.0.1
-//!
-//! Then in another terminal:
-//!     mosquitto_sub -h 127.0.0.1 -t 'homeassistant/#' -v
-//!
-//! You should see one HA discovery `config` topic per entity per node
-//! land within a second of startup, followed by `state` topics ticking
-//! at the configured rates.
-//!
-//! This example is the production-wiring blueprint for `main.rs`:
-//! every line below is what the binary's startup path should do when
-//! `args.mqtt` is true. Keeping it in `examples/` lets us validate the
-//! wiring end-to-end without touching the 6000-line main.rs (which is
-//! the active edit surface of the parallel ADR-110 agent — see
-//! [[feedback-multi-agent-worktree]]).
-
-// The full example body needs the `mqtt` feature (rumqttc, publisher::spawn,
-// etc.). When the feature is off we provide a stub `main` so the example
-// still compiles cleanly during a default `cargo build --workspace` —
-// otherwise CI fails with E0601 (`main function not found`) on every PR
-// that touches the workspace, even ones unrelated to ADR-115.
-#[cfg(not(feature = "mqtt"))]
-fn main() {
-    eprintln!(
-        "This example requires --features mqtt. Re-run with: \n  \
-         cargo run -p wifi-densepose-sensing-server --features mqtt \
-         --example mqtt_publisher -- --mqtt"
-    );
-    std::process::exit(2);
-}
-
-#[cfg(feature = "mqtt")]
-use std::sync::Arc;
-#[cfg(feature = "mqtt")]
-use std::time::Duration;
-
-#[cfg(feature = "mqtt")]
-use clap::Parser;
-#[cfg(feature = "mqtt")]
-use tokio::sync::broadcast;
-#[cfg(feature = "mqtt")]
-use tracing::info;
-#[cfg(feature = "mqtt")]
-use wifi_densepose_sensing_server::cli::Args;
-#[cfg(feature = "mqtt")]
-use wifi_densepose_sensing_server::mqtt::{
-    config::MqttConfig,
-    publisher::{spawn, OwnedDiscoveryBuilder},
-    security::audit,
-    state::VitalsSnapshot,
-};
-
-#[cfg(feature = "mqtt")]
-#[tokio::main]
-async fn main() -> Result<(), Box<dyn std::error::Error>> {
-    tracing_subscriber::fmt::init();
-
-    let args = Args::parse();
-
-    if !args.mqtt {
-        eprintln!("This example requires --mqtt. Aborting.");
-        std::process::exit(2);
-    }
-
-    // 1. Build MqttConfig from CLI + run the security audit before any
-    //    network I/O. A failed audit short-circuits with a clear error.
-    let cfg = Arc::new(MqttConfig::from_args(&args));
-    match audit(&cfg) {
-        Ok(()) => {}
-        Err(e) if !e.is_fatal() => {
-            tracing::warn!(error = %e, "non-fatal MQTT audit advisory");
-        }
-        Err(e) => {
-            eprintln!("MQTT audit failed: {e}");
-            std::process::exit(1);
-        }
-    }
-
-    // 2. The DiscoveryBuilder owns the per-node identity. In a real
-    //    deployment each ESP32 node would get its own builder; here we
-    //    fake one for demonstration.
-    let builder = OwnedDiscoveryBuilder {
-        discovery_prefix: cfg.discovery_prefix.clone(),
-        node_id: "example_node".into(),
-        node_friendly_name: Some("Example RuView Node".into()),
-        sw_version: env!("CARGO_PKG_VERSION").into(),
-        model: "ESP32-S3 CSI node (example)".into(),
-        via_device: None,
-    };
-
-    // 3. Broadcast channel — `sensing-server` already creates one of
-    //    these in main.rs (the one the WebSocket handler subscribes to).
-    //    We mirror it here.
-    let (tx, rx) = broadcast::channel::<VitalsSnapshot>(256);
-
-    // 4. Spawn the publisher. It returns a JoinHandle the caller can
-    //    await on shutdown.
-    let publisher = spawn(cfg.clone(), builder, rx);
-    info!("publisher spawned, sending demo snapshots every 500ms");
-
-    // 5. Demo loop — produce a fresh VitalsSnapshot every 500ms with
-    //    alternating presence so HA sees ON/OFF transitions.
-    let mut tick: u64 = 0;
-    let mut interval = tokio::time::interval(Duration::from_millis(500));
-    let stop = tokio::signal::ctrl_c();
-    tokio::pin!(stop);
-    loop {
-        tokio::select! {
-            _ = interval.tick() => {
-                tick += 1;
-                let snap = VitalsSnapshot {
-                    node_id: "example_node".into(),
-                    timestamp_ms: chrono::Utc::now().timestamp_millis(),
-                    presence: tick % 20 < 10,
-                    fall_detected: tick % 60 == 30,
-                    motion: 0.10 + ((tick as f64).sin().abs() * 0.30),
-                    motion_energy: 1000.0 + (tick as f64).cos() * 200.0,
-                    presence_score: 0.85,
-                    breathing_rate_bpm: Some(13.0 + ((tick as f64) * 0.05).sin()),
-                    heartrate_bpm: Some(68.0 + ((tick as f64) * 0.03).sin() * 5.0),
-                    n_persons: if tick % 20 < 10 { 1 } else { 0 },
-                    rssi_dbm: Some(-50.0 + ((tick as f64) * 0.1).sin() * 5.0),
-                    vital_confidence: 0.85,
-                };
-                let _ = tx.send(snap);
-            }
-            _ = &mut stop => {
-                info!("ctrl-c received, shutting down");
-                break;
-            }
-        }
-    }
-
-    drop(tx); // close broadcast → publisher publishes `offline` + disconnects.
-    let _ = tokio::time::timeout(Duration::from_secs(2), publisher).await;
-    Ok(())
-}
@@ -8,7 +8,6 @@
 //! - Real-time CSI introspection / low-latency tap (`introspection`, ADR-099)

 pub mod bearer_auth;
-pub mod cli;
 pub mod dataset;
 pub mod edge_registry;
 #[allow(dead_code)]
@@ -16,10 +15,7 @@ pub mod embedding;
 pub mod graph_transformer;
 pub mod host_validation;
 pub mod introspection;
-pub mod matter;
-pub mod mqtt;
 pub mod path_safety;
-pub mod semantic;
 pub mod rvf_container;
 pub mod rvf_pipeline;
 pub mod sona;
@@ -1,327 +0,0 @@
-//! Matter bridge-tree assembly (ADR-115 §3.11.2).
-//!
-//! Given a list of RuView nodes and the `EntityKind`s enabled for
-//! each, produce the Matter endpoint tree the SDK will materialise:
-//!
-//! ```text
-//! Endpoint 0 (root: BridgedDevicesAggregator)
-//!   Endpoint 1 (BridgedNode for ruview-node-0)
-//!     Endpoint 2 (OccupancySensor for presence + PersonCount attr)
-//!     Endpoint 3 (OccupancySensor for zone_kitchen)
-//!     Endpoint 4 (OccupancySensor for SomeoneSleeping)
-//!     Endpoint 5 (GenericSwitch for FallDetected)
-//!     …
-//!   Endpoint N (BridgedNode for ruview-node-1)
-//!     …
-//! ```
-//!
-//! Tree assembly is pure logic — no SDK calls. The SDK layer reads
-//! this struct and registers the matching clusters. Splitting this
-//! out keeps the bridge topology testable independently of the
-//! `rs-matter` / chip-tool choice (per §9.10).
-
-use crate::mqtt::discovery::EntityKind;
-
-use super::clusters::{
-    matter_mapping, MatterClusterMapping, DEVICE_TYPE_AGGREGATOR,
-    DEVICE_TYPE_BRIDGED_NODE,
-};
-
-/// One endpoint on the Matter device tree.
-#[derive(Debug, Clone, PartialEq, Eq)]
-pub struct Endpoint {
-    pub endpoint_id: u16,
-    pub device_type: u32,
-    pub label: String,
-    pub clusters: Vec<u32>,
-    pub vendor_attrs: Vec<u32>,
-    /// `Some(_)` if this endpoint maps back to an `EntityKind`;
-    /// `None` for structural endpoints (aggregator root, bridged node).
-    pub source_entity: Option<EntityKind>,
-}
-
-/// One RuView node's slice of the bridge tree.
-#[derive(Debug, Clone)]
-pub struct NodeBranch {
-    pub node_id: String,
-    pub friendly_name: String,
-    pub bridged_node_endpoint: u16,
-    pub child_endpoints: Vec<Endpoint>,
-}
-
-/// Whole bridge tree the SDK will materialise.
-#[derive(Debug, Clone)]
-pub struct BridgeTree {
-    pub root: Endpoint,
-    pub nodes: Vec<NodeBranch>,
-}
-
-/// Builds a [`BridgeTree`] from a list of `(node_id, friendly_name,
-/// entities)` tuples. Endpoint IDs are assigned monotonically starting
-/// at 1 (Matter reserves endpoint 0 for the root).
-pub fn build_bridge_tree(nodes: &[(String, String, Vec<EntityKind>)]) -> BridgeTree {
-    let root = Endpoint {
-        endpoint_id: 0,
-        device_type: DEVICE_TYPE_AGGREGATOR,
-        label: "RuView Bridge".into(),
-        clusters: vec![super::clusters::CLUSTER_BASIC_INFORMATION],
-        vendor_attrs: vec![],
-        source_entity: None,
-    };
-
-    let mut next_endpoint: u16 = 1;
-    let mut branches = Vec::with_capacity(nodes.len());
-
-    for (node_id, friendly_name, entities) in nodes {
-        let bridged_node_ep = next_endpoint;
-        next_endpoint += 1;
-
-        let mut children = Vec::new();
-
-        // Build a children-by-mapping bucket: entities that share the
-        // OccupancySensor endpoint (e.g. PersonCount attaches to
-        // Presence's endpoint) collapse onto the parent rather than
-        // taking their own endpoint ID.
-        let mut presence_endpoint_id: Option<u16> = None;
-
-        for entity in entities {
-            let Some(m) = matter_mapping(*entity) else {
-                continue; // explicitly MQTT-only
-            };
-
-            if m.shares_occupancy_endpoint {
-                if let Some(parent_ep) = presence_endpoint_id {
-                    // Attach as vendor attribute on the parent endpoint.
-                    if let Some(parent) = children
-                        .iter_mut()
-                        .find(|c: &&mut Endpoint| c.endpoint_id == parent_ep)
-                    {
-                        if let Some(va) = m.vendor_attr_id {
-                            parent.vendor_attrs.push(va);
-                        }
-                        parent.source_entity.get_or_insert(*entity);
-                    }
-                    continue;
-                }
-            }
-
-            let ep_id = next_endpoint;
-            next_endpoint += 1;
-            let mut ep = Endpoint {
-                endpoint_id: ep_id,
-                device_type: m.device_type,
-                label: format!("{:?}", entity),
-                clusters: vec![m.cluster, super::clusters::CLUSTER_BASIC_INFORMATION],
-                vendor_attrs: m.vendor_attr_id.into_iter().collect(),
-                source_entity: Some(*entity),
-            };
-            // Switch endpoints need the event cluster declared
-            // (already covered by `clusters` above — but we record it
-            // for the SDK layer's convenience).
-            if matches!(*entity, EntityKind::Presence) {
-                presence_endpoint_id = Some(ep_id);
-            }
-            if let Some(_eid) = m.event_id {
-                // Event support is implicit when the Switch cluster is
-                // present; the SDK reads the cluster and exposes the
-                // event automatically. No extra field needed.
-            }
-            children.push(ep);
-        }
-
-        branches.push(NodeBranch {
-            node_id: node_id.clone(),
-            friendly_name: friendly_name.clone(),
-            bridged_node_endpoint: bridged_node_ep,
-            child_endpoints: children,
-        });
-    }
-
-    BridgeTree {
-        root,
-        nodes: branches,
-    }
-}
-
-impl BridgeTree {
-    /// Total number of endpoints (root + bridged nodes + per-entity).
-    pub fn total_endpoints(&self) -> usize {
-        let per_node: usize = self
-            .nodes
-            .iter()
-            .map(|n| 1 + n.child_endpoints.len()) // BridgedNode + children
-            .sum();
-        1 /* root */ + per_node
-    }
-
-    /// Look up an endpoint by its assigned ID. Returns `None` if no
-    /// endpoint with that ID exists in the tree.
-    pub fn endpoint(&self, id: u16) -> Option<EndpointRef<'_>> {
-        if self.root.endpoint_id == id {
-            return Some(EndpointRef::Root(&self.root));
-        }
-        for n in &self.nodes {
-            if n.bridged_node_endpoint == id {
-                return Some(EndpointRef::BridgedNode(n));
-            }
-            for child in &n.child_endpoints {
-                if child.endpoint_id == id {
-                    return Some(EndpointRef::Child { branch: n, child });
-                }
-            }
-        }
-        None
-    }
-}
-
-/// Resolved endpoint with backref to the owning branch (for logging /
-/// error messages).
-pub enum EndpointRef<'a> {
-    Root(&'a Endpoint),
-    BridgedNode(&'a NodeBranch),
-    Child { branch: &'a NodeBranch, child: &'a Endpoint },
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-    use crate::mqtt::discovery::EntityKind::*;
-
-    fn fixture() -> Vec<(String, String, Vec<EntityKind>)> {
-        vec![(
-            "node_aabb".into(),
-            "Bedroom".into(),
-            vec![
-                Presence,
-                PersonCount, // shares Presence's endpoint
-                SomeoneSleeping,
-                FallDetected,
-                HeartRate, // MQTT-only → must NOT add an endpoint
-            ],
-        )]
-    }
-
-    #[test]
-    fn tree_has_aggregator_root() {
-        let tree = build_bridge_tree(&fixture());
-        assert_eq!(tree.root.endpoint_id, 0);
-        assert_eq!(tree.root.device_type, DEVICE_TYPE_AGGREGATOR);
-    }
-
-    #[test]
-    fn one_branch_per_node() {
-        let tree = build_bridge_tree(&fixture());
-        assert_eq!(tree.nodes.len(), 1);
-        assert_eq!(tree.nodes[0].node_id, "node_aabb");
-        assert_eq!(tree.nodes[0].friendly_name, "Bedroom");
-        assert_eq!(tree.nodes[0].bridged_node_endpoint, 1);
-    }
-
-    #[test]
-    fn person_count_collapses_onto_presence_endpoint() {
-        let tree = build_bridge_tree(&fixture());
-        let branch = &tree.nodes[0];
-
-        // Children: Presence/PersonCount (1 ep), SomeoneSleeping (1 ep),
-        // FallDetected (1 ep) = 3 endpoints. HR/BR → skipped.
-        assert_eq!(branch.child_endpoints.len(), 3);
-
-        // Find the Presence endpoint — it should carry the PersonCount
-        // vendor attribute.
-        let presence_ep = branch
-            .child_endpoints
-            .iter()
-            .find(|e| e.source_entity == Some(Presence))
-            .expect("presence endpoint missing");
-        assert!(presence_ep
-            .vendor_attrs
-            .contains(&super::super::clusters::VENDOR_ATTR_PERSON_COUNT));
-    }
-
-    #[test]
-    fn biometric_entities_skip_matter_tree() {
-        let tree = build_bridge_tree(&fixture());
-        let branch = &tree.nodes[0];
-        for ep in &branch.child_endpoints {
-            assert!(
-                ep.source_entity != Some(HeartRate),
-                "HeartRate must NOT have a Matter endpoint"
-            );
-            assert!(
-                ep.source_entity != Some(BreathingRate),
-                "BreathingRate must NOT have a Matter endpoint"
-            );
-        }
-    }
-
-    #[test]
-    fn each_child_carries_basic_information_cluster() {
-        let tree = build_bridge_tree(&fixture());
-        for branch in &tree.nodes {
-            for ep in &branch.child_endpoints {
-                assert!(
-                    ep.clusters
-                        .contains(&super::super::clusters::CLUSTER_BASIC_INFORMATION),
-                    "every endpoint must declare BasicInformation"
-                );
-            }
-        }
-    }
-
-    #[test]
-    fn endpoint_ids_are_monotonic_and_unique() {
-        let tree = build_bridge_tree(&fixture());
-        let mut all_ids = vec![tree.root.endpoint_id];
-        for branch in &tree.nodes {
-            all_ids.push(branch.bridged_node_endpoint);
-            for ep in &branch.child_endpoints {
-                all_ids.push(ep.endpoint_id);
-            }
-        }
-        let mut sorted = all_ids.clone();
-        sorted.sort_unstable();
-        sorted.dedup();
-        assert_eq!(all_ids.len(), sorted.len(), "endpoint IDs must be unique");
-    }
-
-    #[test]
-    fn total_endpoints_matches_explicit_count() {
-        let tree = build_bridge_tree(&fixture());
-        // 1 root + 1 bridged + 3 children = 5.
-        assert_eq!(tree.total_endpoints(), 5);
-    }
-
-    #[test]
-    fn endpoint_lookup_resolves_all_ids() {
-        let tree = build_bridge_tree(&fixture());
-        for id in 0..tree.total_endpoints() as u16 {
-            let er = tree.endpoint(id);
-            assert!(er.is_some(), "endpoint {} not findable", id);
-        }
-        // Unknown ID returns None.
-        assert!(tree.endpoint(999).is_none());
-    }
-
-    #[test]
-    fn multi_node_tree_keeps_per_node_isolation() {
-        let nodes = vec![
-            ("aabb".into(), "Bedroom".into(), vec![Presence, FallDetected]),
-            ("ccdd".into(), "Living".into(), vec![Presence, MeetingInProgress]),
-        ];
-        let tree = build_bridge_tree(&nodes);
-        assert_eq!(tree.nodes.len(), 2);
-        // Each node's children are isolated to that branch.
-        for branch in &tree.nodes {
-            assert_eq!(branch.child_endpoints.len(), 2);
-        }
-        // Total endpoints: 1 root + (1 bridged + 2 children) × 2 = 7.
-        assert_eq!(tree.total_endpoints(), 7);
-    }
-
-    #[test]
-    fn empty_node_list_yields_just_root() {
-        let tree = build_bridge_tree(&[]);
-        assert_eq!(tree.nodes.len(), 0);
-        assert_eq!(tree.total_endpoints(), 1); // just the root
-    }
-}
@@ -1,329 +0,0 @@
-//! Matter cluster + device-type ID mappings for RuView entities.
-//!
-//! IDs come from the **Matter Core Spec 1.3 §A.1 Reserved Cluster IDs**
-//! and **§1.3 Device Library**. Where ADR-115 §3.11.1 uses a name,
-//! the constant below carries the spec hex.
-
-use crate::mqtt::discovery::EntityKind;
-
-/// Matter cluster identifier — 32-bit spec ID.
-pub type ClusterId = u32;
-
-/// Matter endpoint device-type identifier — 32-bit spec ID.
-pub type EndpointTypeId = u32;
-
-// ── Matter Core Spec 1.3 — Reserved Cluster IDs we publish ───────────
-/// Per §A.1.4 "OccupancySensing" — boolean occupancy + occupancy
-/// sensor type bitmap.
-pub const CLUSTER_OCCUPANCY_SENSING: ClusterId = 0x0406;
-
-/// Per §A.1.6 "Switch" — momentary press events used to fire fall /
-/// bed-exit / multi-room one-shots.
-pub const CLUSTER_SWITCH: ClusterId = 0x003B;
-
-/// Per §A.1.0 "BasicInformation" — Vendor ID, Product ID, software
-/// version, serial number. Every endpoint includes this.
-pub const CLUSTER_BASIC_INFORMATION: ClusterId = 0x0028;
-
-/// Per §A.1.5 "BooleanState" — single boolean attribute. Used for
-/// non-occupancy boolean primitives (no_movement etc.) where the
-/// occupancy semantics would be misleading to controllers.
-pub const CLUSTER_BOOLEAN_STATE: ClusterId = 0x0045;
-
-/// Per §A.1.16 "BridgedDeviceBasicInformation" — identifies a bridged
-/// device (one per RuView node) on a Matter Bridged Devices Aggregator.
-pub const CLUSTER_BRIDGED_DEVICE_BASIC_INFORMATION: ClusterId = 0x0039;
-
-// ── Matter Device Library 1.3 — Device-type IDs ──────────────────────
-/// Per §7.3 OccupancySensor.
-pub const DEVICE_TYPE_OCCUPANCY_SENSOR: EndpointTypeId = 0x0107;
-/// Per §6.6 GenericSwitch. Used for fall / bed-exit / multi-room events.
-pub const DEVICE_TYPE_GENERIC_SWITCH: EndpointTypeId = 0x000F;
-/// Per §10.2 Aggregator. The top-level endpoint that exposes all
-/// bridged RuView nodes.
-pub const DEVICE_TYPE_AGGREGATOR: EndpointTypeId = 0x000E;
-/// Per §10.1 Bridged Node — one endpoint per RuView physical node.
-pub const DEVICE_TYPE_BRIDGED_NODE: EndpointTypeId = 0x0013;
-
-// ── Vendor-extension attribute (per ADR §3.11.1) ─────────────────────
-/// Vendor-extension attribute carrying `n_persons` on the
-/// OccupancySensing cluster. Apple Home / Google Home will ignore this
-/// gracefully; HA + SmartThings will surface it via the Matter
-/// integration's attribute-renderer.
-///
-/// Attribute IDs ≥ 0xFFF1_0000 are reserved for vendor extensions per
-/// Matter Core §7.18.2. We use 0xFFF1_0001 = "wifi-densepose person
-/// count".
-pub const VENDOR_ATTR_PERSON_COUNT: u32 = 0xFFF1_0001;
-
-/// Spec-defined event ID on the Switch cluster (§A.1.6.5.4).
-pub const EVENT_SWITCH_MULTI_PRESS_COMPLETE: u32 = 0x06;
-
-/// One per `EntityKind` that ADR-115 §3.11.1 maps to Matter. Entities
-/// NOT in the table (HR / BR / pose / motion_energy / presence_score)
-/// are explicitly not exposed over Matter — there are no spec
-/// clusters for them today.
-#[derive(Debug, Clone, Copy, PartialEq, Eq)]
-pub struct MatterClusterMapping {
-    /// Which cluster the entity lives on.
-    pub cluster: ClusterId,
-    /// Which device-type the endpoint declares.
-    pub device_type: EndpointTypeId,
-    /// `Some(_)` if the entity emits Matter events (vs. attribute
-    /// reads); `None` if it's read as a cluster attribute.
-    pub event_id: Option<u32>,
-    /// `Some(_)` if the entity uses a vendor-extension attribute
-    /// rather than a spec attribute.
-    pub vendor_attr_id: Option<u32>,
-    /// True iff this entity belongs on the same endpoint as the parent
-    /// node's OccupancySensor (multi-attribute entity grouping).
-    pub shares_occupancy_endpoint: bool,
-}
-
-/// Map an `EntityKind` to its Matter exposure, if any. Returns `None`
-/// for entities that are deliberately MQTT-only because no Matter
-/// cluster represents them (HR / BR / pose / motion_energy / presence_score).
-pub fn matter_mapping(entity: EntityKind) -> Option<MatterClusterMapping> {
-    use EntityKind::*;
-    Some(match entity {
-        Presence | ZoneOccupancy => MatterClusterMapping {
-            cluster: CLUSTER_OCCUPANCY_SENSING,
-            device_type: DEVICE_TYPE_OCCUPANCY_SENSOR,
-            event_id: None,
-            vendor_attr_id: None,
-            shares_occupancy_endpoint: false,
-        },
-        PersonCount => MatterClusterMapping {
-            cluster: CLUSTER_OCCUPANCY_SENSING,
-            device_type: DEVICE_TYPE_OCCUPANCY_SENSOR,
-            event_id: None,
-            vendor_attr_id: Some(VENDOR_ATTR_PERSON_COUNT),
-            shares_occupancy_endpoint: true,
-        },
-        FallDetected | BedExit | MultiRoomTransition => MatterClusterMapping {
-            cluster: CLUSTER_SWITCH,
-            device_type: DEVICE_TYPE_GENERIC_SWITCH,
-            event_id: Some(EVENT_SWITCH_MULTI_PRESS_COMPLETE),
-            vendor_attr_id: None,
-            shares_occupancy_endpoint: false,
-        },
-        // Semantic primitives that surface as occupancy-style booleans
-        // (separate endpoints — one per primitive — so controllers can
-        // bind individual scenes to each).
-        SomeoneSleeping
-        | RoomActive
-        | MeetingInProgress
-        | BathroomOccupied => MatterClusterMapping {
-            cluster: CLUSTER_OCCUPANCY_SENSING,
-            device_type: DEVICE_TYPE_OCCUPANCY_SENSOR,
-            event_id: None,
-            vendor_attr_id: None,
-            shares_occupancy_endpoint: false,
-        },
-        // Problem-state booleans use BooleanState — semantically they
-        // are NOT occupancy, and controllers shouldn't wire them into
-        // motion-light scenes.
-        PossibleDistress | ElderlyInactivityAnomaly | NoMovement => MatterClusterMapping {
-            cluster: CLUSTER_BOOLEAN_STATE,
-            device_type: DEVICE_TYPE_OCCUPANCY_SENSOR,
-            event_id: None,
-            vendor_attr_id: None,
-            shares_occupancy_endpoint: false,
-        },
-        // Fall-risk scalar surfaces as a vendor-extension attribute on
-        // the parent BridgedNode (no Matter spec for risk scores).
-        FallRiskElevated => MatterClusterMapping {
-            cluster: CLUSTER_BRIDGED_DEVICE_BASIC_INFORMATION,
-            device_type: DEVICE_TYPE_BRIDGED_NODE,
-            event_id: None,
-            vendor_attr_id: Some(0xFFF1_0002),
-            shares_occupancy_endpoint: false,
-        },
-        // Explicitly MQTT-only — no Matter cluster representation.
-        BreathingRate | HeartRate | MotionLevel | MotionEnergy | PresenceScore | Rssi | PoseKeypoints => return None,
-    })
-}
-
-/// True iff the entity has a Matter exposure on a current spec cluster.
-pub fn entity_on_matter(entity: EntityKind) -> bool {
-    matter_mapping(entity).is_some()
-}
-
-/// Compute the next available endpoint ID for a node-scoped entity,
-/// given a starting offset (the bridge's first child endpoint). Used
-/// by the publisher to assign per-primitive endpoints deterministically.
-pub fn next_endpoint(base: u16, primitive_index: u16) -> u16 {
-    base.saturating_add(primitive_index)
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-
-    #[test]
-    fn presence_maps_to_occupancy_sensor() {
-        let m = matter_mapping(EntityKind::Presence).unwrap();
-        assert_eq!(m.cluster, 0x0406);          // OccupancySensing
-        assert_eq!(m.device_type, 0x0107);      // OccupancySensor
-        assert!(m.event_id.is_none());
-        assert!(m.vendor_attr_id.is_none());
-    }
-
-    #[test]
-    fn zone_occupancy_uses_occupancy_sensor_too() {
-        let m = matter_mapping(EntityKind::ZoneOccupancy).unwrap();
-        assert_eq!(m.cluster, CLUSTER_OCCUPANCY_SENSING);
-        assert_eq!(m.device_type, DEVICE_TYPE_OCCUPANCY_SENSOR);
-    }
-
-    #[test]
-    fn person_count_is_vendor_extension_on_occupancy_endpoint() {
-        let m = matter_mapping(EntityKind::PersonCount).unwrap();
-        assert_eq!(m.cluster, CLUSTER_OCCUPANCY_SENSING);
-        assert_eq!(m.vendor_attr_id, Some(0xFFF1_0001));
-        assert!(m.shares_occupancy_endpoint);
-    }
-
-    #[test]
-    fn fall_uses_switch_multi_press_complete_event() {
-        let m = matter_mapping(EntityKind::FallDetected).unwrap();
-        assert_eq!(m.cluster, CLUSTER_SWITCH);
-        assert_eq!(m.device_type, DEVICE_TYPE_GENERIC_SWITCH);
-        assert_eq!(m.event_id, Some(EVENT_SWITCH_MULTI_PRESS_COMPLETE));
-    }
-
-    #[test]
-    fn bed_exit_uses_switch_event() {
-        let m = matter_mapping(EntityKind::BedExit).unwrap();
-        assert_eq!(m.cluster, CLUSTER_SWITCH);
-        assert!(m.event_id.is_some());
-    }
-
-    #[test]
-    fn multi_room_uses_switch_event() {
-        let m = matter_mapping(EntityKind::MultiRoomTransition).unwrap();
-        assert_eq!(m.cluster, CLUSTER_SWITCH);
-    }
-
-    #[test]
-    fn someone_sleeping_uses_occupancy_separate_endpoint() {
-        let m = matter_mapping(EntityKind::SomeoneSleeping).unwrap();
-        assert_eq!(m.cluster, CLUSTER_OCCUPANCY_SENSING);
-        // NOT shares_occupancy_endpoint — needs its own endpoint so
-        // controllers can wire a "when bedroom_sleeping is on" scene
-        // independently of the raw presence sensor.
-        assert!(!m.shares_occupancy_endpoint);
-    }
-
-    #[test]
-    fn distress_uses_boolean_state_not_occupancy() {
-        // The semantic distinction matters: a controller binding a
-        // "when motion detected, turn lights on" scene must NOT fire
-        // for distress. We use BooleanState to keep them separate.
-        let m = matter_mapping(EntityKind::PossibleDistress).unwrap();
-        assert_eq!(m.cluster, CLUSTER_BOOLEAN_STATE);
-    }
-
-    #[test]
-    fn no_movement_uses_boolean_state() {
-        let m = matter_mapping(EntityKind::NoMovement).unwrap();
-        assert_eq!(m.cluster, CLUSTER_BOOLEAN_STATE);
-    }
-
-    #[test]
-    fn fall_risk_scalar_is_vendor_attribute_on_bridged_node() {
-        let m = matter_mapping(EntityKind::FallRiskElevated).unwrap();
-        assert_eq!(m.cluster, CLUSTER_BRIDGED_DEVICE_BASIC_INFORMATION);
-        assert!(m.vendor_attr_id.is_some());
-    }
-
-    #[test]
-    fn biometric_entities_have_no_matter_exposure() {
-        // ADR §3.11.4 — Matter spec has no clusters for these, so
-        // they're explicitly None.
-        assert!(matter_mapping(EntityKind::HeartRate).is_none());
-        assert!(matter_mapping(EntityKind::BreathingRate).is_none());
-        assert!(matter_mapping(EntityKind::PoseKeypoints).is_none());
-    }
-
-    #[test]
-    fn rssi_and_motion_continuous_are_mqtt_only() {
-        // No standard cluster represents signal strength or continuous
-        // motion-level for a non-light device.
-        assert!(matter_mapping(EntityKind::Rssi).is_none());
-        assert!(matter_mapping(EntityKind::MotionLevel).is_none());
-        assert!(matter_mapping(EntityKind::MotionEnergy).is_none());
-        assert!(matter_mapping(EntityKind::PresenceScore).is_none());
-    }
-
-    #[test]
-    fn next_endpoint_is_deterministic_and_overflow_safe() {
-        assert_eq!(next_endpoint(2, 0), 2);
-        assert_eq!(next_endpoint(2, 5), 7);
-        // Saturation on overflow rather than panic.
-        assert_eq!(next_endpoint(u16::MAX, 1), u16::MAX);
-    }
-
-    #[test]
-    fn entity_on_matter_is_consistent_with_matter_mapping_some() {
-        for e in [
-            EntityKind::Presence,
-            EntityKind::FallDetected,
-            EntityKind::SomeoneSleeping,
-            EntityKind::HeartRate,
-            EntityKind::Rssi,
-        ] {
-            assert_eq!(entity_on_matter(e), matter_mapping(e).is_some());
-        }
-    }
-
-    #[test]
-    fn all_entities_exhaustive_classification() {
-        // Spot-check that every EntityKind variant has a defined
-        // status — either a mapping or an explicit None — so a future
-        // addition can't silently miss the Matter table.
-        let known = [
-            EntityKind::Presence,
-            EntityKind::PersonCount,
-            EntityKind::BreathingRate,
-            EntityKind::HeartRate,
-            EntityKind::MotionLevel,
-            EntityKind::MotionEnergy,
-            EntityKind::FallDetected,
-            EntityKind::PresenceScore,
-            EntityKind::Rssi,
-            EntityKind::ZoneOccupancy,
-            EntityKind::PoseKeypoints,
-            EntityKind::SomeoneSleeping,
-            EntityKind::PossibleDistress,
-            EntityKind::RoomActive,
-            EntityKind::ElderlyInactivityAnomaly,
-            EntityKind::MeetingInProgress,
-            EntityKind::BathroomOccupied,
-            EntityKind::FallRiskElevated,
-            EntityKind::BedExit,
-            EntityKind::NoMovement,
-            EntityKind::MultiRoomTransition,
-        ];
-        // Hit every variant — this acts as a compile-time exhaustiveness
-        // canary: any new EntityKind added without updating
-        // `matter_mapping` will fail to match here.
-        for e in known {
-            let _ = matter_mapping(e); // doesn't panic
-        }
-    }
-
-    #[test]
-    fn cluster_ids_match_matter_spec_1_3() {
-        // Sanity-check the cluster IDs against the published spec
-        // values — catches a transcription typo.
-        assert_eq!(CLUSTER_OCCUPANCY_SENSING, 0x0406);
-        assert_eq!(CLUSTER_SWITCH, 0x003B);
-        assert_eq!(CLUSTER_BOOLEAN_STATE, 0x0045);
-        assert_eq!(CLUSTER_BRIDGED_DEVICE_BASIC_INFORMATION, 0x0039);
-        assert_eq!(DEVICE_TYPE_OCCUPANCY_SENSOR, 0x0107);
-        assert_eq!(DEVICE_TYPE_GENERIC_SWITCH, 0x000F);
-        assert_eq!(DEVICE_TYPE_AGGREGATOR, 0x000E);
-        assert_eq!(DEVICE_TYPE_BRIDGED_NODE, 0x0013);
-    }
-}
@@ -1,383 +0,0 @@
-//! Matter commissioning code generation (ADR-115 §3.11.2).
-//!
-//! When `--matter` is enabled, the publisher prints a setup code on
-//! first start that the user scans/enters into their Matter controller
-//! (Apple Home / Google Home / HA Matter integration). This module
-//! generates that code without depending on any Matter SDK.
-//!
-//! ## Spec
-//!
-//! Matter Core Spec 1.3 §5.1 defines two pairing-code formats:
-//!
-//! - **Manual pairing code** — 11 digits, base-10 encoded from packed
-//!   bits. This is what we emit for `--matter-setup-file`.
-//! - **QR code payload** — `MT:` prefix + base-38 of a longer
-//!   bit-packed payload. v0.7.0 emits the manual code only; QR string
-//!   generation is a v0.7.1 follow-up (per §9.9 dev-VID note —
-//!   commissioning works in either form with dev VID).
-//!
-//! ## Bit layout (manual code, §5.1.4.1)
-//!
-//! ```text
-//!  bits  width  meaning
-//!  ---- ------- -------------------------------------------------------
-//!   0    1     Version (always 0 today)
-//!   1    1     VID/PID present flag (0 = short code, 1 = with VID/PID)
-//!   2   10     Discriminator (12-bit overall, low 4 bits go elsewhere)
-//!  12   27     Passcode (27-bit setup PIN, range 0..2^27)
-//!  39    4     Discriminator (high 4 bits)
-//!  43    9     Reserved / VID-PID stitched in v0 = 0
-//! ```
-//!
-//! The bit-packed payload is then base-10 encoded and prefixed with
-//! the Luhn-style check digit.
-
-use super::super::matter::clusters::VENDOR_ATTR_PERSON_COUNT as _; // re-export-only guard
-
-/// Inputs to setup-code generation. `passcode` and `discriminator`
-/// are usually random at first start and persisted in the
-/// `--matter-setup-file` so the same code re-prints next boot.
-#[derive(Debug, Clone, Copy)]
-pub struct SetupCodeInput {
-    /// 27-bit Matter setup PIN. Must be in the range `0..2^27`
-    /// excluding the disallowed values listed in §5.1.6.1 (00000000,
-    /// 11111111, 22222222, …, 99999999, 12345678, 87654321).
-    pub passcode: u32,
-    /// 12-bit discriminator advertised in mDNS so controllers find the
-    /// device. Must be in `0..4096`.
-    pub discriminator: u16,
-    /// CSA-assigned vendor ID. Today we use dev VID `0xFFF1` per
-    /// ADR-115 §9.9 until P10 cert decision.
-    pub vendor_id: u16,
-    /// Vendor-assigned product ID. Default `0x8001` per the same ADR row.
-    pub product_id: u16,
-}
-
-impl SetupCodeInput {
-    /// Build with the production-default dev VID + sensible product ID.
-    /// `passcode` and `discriminator` come from a CSPRNG at first start.
-    pub fn dev(passcode: u32, discriminator: u16) -> Self {
-        Self { passcode, discriminator, vendor_id: 0xFFF1, product_id: 0x8001 }
-    }
-
-    /// Validate against §5.1.6.1 disallowed values + bit-width ranges.
-    pub fn validate(&self) -> Result<(), &'static str> {
-        if self.passcode == 0
-            || self.passcode == 11111111
-            || self.passcode == 22222222
-            || self.passcode == 33333333
-            || self.passcode == 44444444
-            || self.passcode == 55555555
-            || self.passcode == 66666666
-            || self.passcode == 77777777
-            || self.passcode == 88888888
-            || self.passcode == 99999999
-            || self.passcode == 12345678
-            || self.passcode == 87654321
-        {
-            return Err("passcode is in the §5.1.6.1 disallowed-values list");
-        }
-        if self.passcode >= 1 << 27 {
-            return Err("passcode exceeds 27-bit range");
-        }
-        if self.discriminator >= 1 << 12 {
-            return Err("discriminator exceeds 12-bit range");
-        }
-        Ok(())
-    }
-}
-
-/// The 11-digit manual pairing code as a fixed-length string. Always
-/// 11 digits because the Matter spec specifies fixed-width encoding.
-#[derive(Debug, Clone, PartialEq, Eq)]
-pub struct ManualPairingCode(pub String);
-
-impl ManualPairingCode {
-    /// Build the 11-digit short code (§5.1.4.1, VID/PID-absent variant).
-    /// Returns the code as a `String` so the caller can `Display`-print
-    /// it directly. Validates the input first.
-    pub fn from_input(input: &SetupCodeInput) -> Result<Self, &'static str> {
-        input.validate()?;
-
-        // §5.1.4.1 — 10-digit short code = 1-digit header (encodes
-        // version + VID/PID flag + discriminator high 2 bits) +
-        // 5-digit middle (low passcode + low discriminator bits) +
-        // 4-digit trailer (high passcode bits). Plus 1-digit Verhoeff
-        // check digit = 11 total.
-        //
-        // The numeric chunks are sized to fit their decimal widths
-        // exactly (max value < 10^width), so the format! macro
-        // produces fixed-width output without truncation.
-        //
-        // This is a placeholder implementation: it produces a
-        // deterministic, validated, 11-digit string suitable for
-        // human display + Verhoeff-check round-trip. The bit-perfect
-        // spec-compliant code (with QR base-38 payload) is generated
-        // by the Matter SDK at P8 once `rs-matter` lands.
-        let disc = input.discriminator as u32;
-        let pin = input.passcode;
-
-        // Bit layout (placeholder — see header comment):
-        //   header  = disc_high_2_bits      → 1 digit (0..3)
-        //   chunk1  = (disc_low_10 << 14) | pin_low_14   → 24 bits, take mod 10^5
-        //   chunk2  = pin_high_13           → 13 bits, take mod 10^4
-        //
-        // The mod-by-10^width step is what differs from a fully
-        // spec-conformant encoder — but it preserves determinism and
-        // input sensitivity, which is what we need until P8 SDK.
-        let header = ((disc >> 10) & 0x3) as u64;
-        let chunk1_raw = ((pin & 0x3FFF) as u64) | (((disc & 0x3FF) as u64) << 14);
-        let chunk1 = chunk1_raw % 100_000;
-        let chunk2_raw = ((pin >> 14) & 0x1FFF) as u64;
-        let chunk2 = chunk2_raw % 10_000;
-
-        let body = format!("{:01}{:05}{:04}", header, chunk1, chunk2);
-        debug_assert_eq!(body.len(), 10, "body must be 10 digits — fix chunk widths");
-
-        let check = verhoeff_check_digit(&body);
-        Ok(Self(format!("{}{}", body, check)))
-    }
-
-    /// 4-3-4 dash format the way Matter controllers actually display
-    /// it (e.g. `1234-567-8901`). Used for human readability in
-    /// `--matter-setup-file` and console logs.
-    pub fn display_4_3_4(&self) -> String {
-        let s = &self.0;
-        format!("{}-{}-{}", &s[0..4], &s[4..7], &s[7..11])
-    }
-}
-
-/// Verhoeff check-digit algorithm per Matter Core §5.1.4.1.5 (the
-/// spec doesn't mandate Verhoeff specifically, but several controllers
-/// expect the published reference impl behaviour. We follow §5.1.4.1
-/// "decimal check digit using Verhoeff scheme".)
-fn verhoeff_check_digit(s: &str) -> u8 {
-    const D: [[u8; 10]; 10] = [
-        [0, 1, 2, 3, 4, 5, 6, 7, 8, 9],
-        [1, 2, 3, 4, 0, 6, 7, 8, 9, 5],
-        [2, 3, 4, 0, 1, 7, 8, 9, 5, 6],
-        [3, 4, 0, 1, 2, 8, 9, 5, 6, 7],
-        [4, 0, 1, 2, 3, 9, 5, 6, 7, 8],
-        [5, 9, 8, 7, 6, 0, 4, 3, 2, 1],
-        [6, 5, 9, 8, 7, 1, 0, 4, 3, 2],
-        [7, 6, 5, 9, 8, 2, 1, 0, 4, 3],
-        [8, 7, 6, 5, 9, 3, 2, 1, 0, 4],
-        [9, 8, 7, 6, 5, 4, 3, 2, 1, 0],
-    ];
-    const P: [[u8; 10]; 8] = [
-        [0, 1, 2, 3, 4, 5, 6, 7, 8, 9],
-        [1, 5, 7, 6, 2, 8, 3, 0, 9, 4],
-        [5, 8, 0, 3, 7, 9, 6, 1, 4, 2],
-        [8, 9, 1, 6, 0, 4, 3, 5, 2, 7],
-        [9, 4, 5, 3, 1, 2, 6, 8, 7, 0],
-        [4, 2, 8, 6, 5, 7, 3, 9, 0, 1],
-        [2, 7, 9, 3, 8, 0, 6, 4, 1, 5],
-        [7, 0, 4, 6, 9, 1, 3, 2, 5, 8],
-    ];
-    const INV: [u8; 10] = [0, 4, 3, 2, 1, 5, 6, 7, 8, 9];
-
-    let mut c = 0u8;
-    for (i, ch) in s.chars().rev().enumerate() {
-        let n = ch.to_digit(10).expect("non-digit in code body") as u8;
-        c = D[c as usize][P[(i + 1) % 8][n as usize] as usize];
-    }
-    INV[c as usize]
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-
-    #[test]
-    fn dev_constructor_uses_dev_vid_pid() {
-        let s = SetupCodeInput::dev(20202021, 3840);
-        assert_eq!(s.vendor_id, 0xFFF1);
-        assert_eq!(s.product_id, 0x8001);
-        assert_eq!(s.passcode, 20202021);
-        assert_eq!(s.discriminator, 3840);
-    }
-
-    #[test]
-    fn validate_rejects_disallowed_passcodes() {
-        for &bad in &[
-            0u32, 11111111, 22222222, 33333333, 44444444, 55555555,
-            66666666, 77777777, 88888888, 99999999, 12345678, 87654321,
-        ] {
-            let s = SetupCodeInput::dev(bad, 100);
-            assert!(s.validate().is_err(), "passcode {} must be rejected", bad);
-        }
-    }
-
-    #[test]
-    fn validate_rejects_oversized_passcode() {
-        let s = SetupCodeInput::dev(1 << 27, 100);
-        assert!(s.validate().is_err());
-    }
-
-    #[test]
-    fn validate_rejects_oversized_discriminator() {
-        let s = SetupCodeInput::dev(20202021, 4096);
-        assert!(s.validate().is_err());
-    }
-
-    #[test]
-    fn validate_accepts_canonical_test_vectors() {
-        // Common test values seen across Matter test suites.
-        for (pin, disc) in &[(20202021u32, 3840u16), (12345678 + 1, 100), (1, 0)] {
-            let s = SetupCodeInput::dev(*pin, *disc);
-            assert!(s.validate().is_ok(), "({}, {}) should validate", pin, disc);
-        }
-    }
-
-    #[test]
-    fn manual_code_is_11_digits() {
-        let s = SetupCodeInput::dev(20202021, 3840);
-        let code = ManualPairingCode::from_input(&s).unwrap();
-        assert_eq!(code.0.len(), 11);
-        assert!(code.0.chars().all(|c| c.is_ascii_digit()));
-    }
-
-    #[test]
-    fn manual_code_display_format_is_4_3_4() {
-        let s = SetupCodeInput::dev(20202021, 3840);
-        let code = ManualPairingCode::from_input(&s).unwrap();
-        let pretty = code.display_4_3_4();
-        // 4-3-4 + 2 dashes = 13 chars.
-        assert_eq!(pretty.len(), 13);
-        assert_eq!(&pretty[4..5], "-");
-        assert_eq!(&pretty[8..9], "-");
-    }
-
-    #[test]
-    fn manual_code_is_deterministic_for_same_input() {
-        let s = SetupCodeInput::dev(20202021, 3840);
-        let a = ManualPairingCode::from_input(&s).unwrap();
-        let b = ManualPairingCode::from_input(&s).unwrap();
-        assert_eq!(a, b);
-    }
-
-    #[test]
-    fn manual_code_differs_when_passcode_changes() {
-        let a = ManualPairingCode::from_input(&SetupCodeInput::dev(20202021, 3840))
-            .unwrap();
-        let b = ManualPairingCode::from_input(&SetupCodeInput::dev(20202022, 3840))
-            .unwrap();
-        assert_ne!(a, b);
-    }
-
-    #[test]
-    fn manual_code_differs_when_discriminator_changes() {
-        let a = ManualPairingCode::from_input(&SetupCodeInput::dev(20202021, 3840))
-            .unwrap();
-        let b = ManualPairingCode::from_input(&SetupCodeInput::dev(20202021, 100))
-            .unwrap();
-        assert_ne!(a, b);
-    }
-
-    #[test]
-    fn verhoeff_check_digit_is_self_consistent() {
-        // The Verhoeff scheme has the property that appending the
-        // check digit to the body produces a string with check-digit-
-        // appended == 0. Verify the recursive property holds.
-        let s = SetupCodeInput::dev(20202021, 3840);
-        let code = ManualPairingCode::from_input(&s).unwrap();
-        // Re-verify: the check digit appended to the body should make
-        // the Verhoeff sum collapse to 0.
-        let body = &code.0[0..10];
-        let check_recomputed = verhoeff_check_digit(body);
-        let body_digit = code.0[10..11].parse::<u8>().unwrap();
-        assert_eq!(check_recomputed, body_digit);
-    }
-
-    #[test]
-    fn from_input_rejects_invalid_input() {
-        // Build with a disallowed passcode; from_input must return Err.
-        let s = SetupCodeInput::dev(11111111, 3840);
-        assert!(ManualPairingCode::from_input(&s).is_err());
-    }
-
-    // ─── Property-based invariants for the commissioning encoder ─────
-
-    use proptest::prelude::*;
-
-    /// The §5.1.6.1 disallowed-passcodes set, hoisted to a const for
-    /// reuse in property tests.
-    const DISALLOWED_PASSCODES: &[u32] = &[
-        0u32, 11111111, 22222222, 33333333, 44444444, 55555555,
-        66666666, 77777777, 88888888, 99999999, 12345678, 87654321,
-    ];
-
-    proptest! {
-        /// For ANY (passcode, discriminator) in the valid range that
-        /// is not in the §5.1.6.1 disallowed set, from_input MUST
-        /// produce a code with the same shape:
-        ///   - exactly 11 ASCII digits
-        ///   - Verhoeff-self-consistent
-        ///   - 4-3-4 display form is 13 chars with dashes at positions 4 and 8
-        #[test]
-        fn manual_code_shape_invariants(
-            passcode in 1u32..((1 << 27) - 1),
-            disc in 0u16..4095,
-        ) {
-            // Reject the disallowed-by-spec set inside the proptest body
-            // so the input strategy stays simple.
-            prop_assume!(!DISALLOWED_PASSCODES.contains(&passcode));
-
-            let s = SetupCodeInput::dev(passcode, disc);
-            let code = ManualPairingCode::from_input(&s);
-            prop_assert!(code.is_ok(), "valid input rejected: {:?}", code.err());
-            let code = code.unwrap();
-
-            // 11 ASCII digits.
-            prop_assert_eq!(code.0.len(), 11);
-            prop_assert!(code.0.chars().all(|c| c.is_ascii_digit()));
-
-            // Verhoeff self-consistency.
-            let body = &code.0[0..10];
-            let body_digit = code.0[10..11].parse::<u8>().unwrap();
-            prop_assert_eq!(verhoeff_check_digit(body), body_digit);
-
-            // 4-3-4 form.
-            let pretty = code.display_4_3_4();
-            prop_assert_eq!(pretty.len(), 13);
-            prop_assert_eq!(&pretty[4..5], "-");
-            prop_assert_eq!(&pretty[8..9], "-");
-        }
-
-        /// Every disallowed passcode in the §5.1.6.1 list MUST be
-        /// rejected by validate(), regardless of discriminator.
-        #[test]
-        fn disallowed_passcodes_always_rejected(
-            disc in 0u16..4095,
-            bad_idx in 0usize..DISALLOWED_PASSCODES.len(),
-        ) {
-            let bad = DISALLOWED_PASSCODES[bad_idx];
-            let s = SetupCodeInput::dev(bad, disc);
-            prop_assert!(s.validate().is_err(), "passcode {} must be rejected", bad);
-        }
-
-        /// Oversized inputs always rejected, regardless of the
-        /// allowed dim.
-        #[test]
-        fn oversized_inputs_always_rejected(
-            big_pin in (1u32 << 27)..u32::MAX,
-            big_disc in 4096u16..,
-        ) {
-            prop_assert!(SetupCodeInput::dev(big_pin, 100).validate().is_err());
-            prop_assert!(SetupCodeInput::dev(20202021, big_disc).validate().is_err());
-        }
-
-        /// Same input → same code (determinism property under random sampling).
-        #[test]
-        fn manual_code_deterministic_under_random_input(
-            passcode in 1u32..((1 << 27) - 1),
-            disc in 0u16..4095,
-        ) {
-            prop_assume!(!DISALLOWED_PASSCODES.contains(&passcode));
-            let s = SetupCodeInput::dev(passcode, disc);
-            let a = ManualPairingCode::from_input(&s).unwrap();
-            let b = ManualPairingCode::from_input(&s).unwrap();
-            prop_assert_eq!(a, b);
-        }
-    }
-}
@@ -1,40 +0,0 @@
-//! ADR-115 §3.11 — Matter Bridge (HA-FABRIC) scaffolding.
-//!
-//! This module owns the **Matter device-type and cluster mappings**
-//! independent of any specific Matter SDK. Pure types + lookup tables
-//! land here in v0.7.0; the actual SDK wiring (rs-matter or chip-tool
-//! FFI per §9.10) lands in P7 → P8 in v0.7.1 once the SDK choice is
-//! validated by a pairing spike against Apple Home / Google Home / HA.
-//!
-//! ## Why scaffolding-first
-//!
-//! 1. **Decision principle** (maintainer ACK §9): preserve clean
-//!    protocols, avoid fake semantics, ship MQTT first, validate Matter
-//!    second. This module defines what Matter *would* expose without
-//!    committing to an SDK.
-//! 2. **Reusability**. The mapping table is the same regardless of SDK
-//!    choice — rs-matter and chip-tool both speak in cluster IDs +
-//!    attribute IDs. Defining it here means the SDK swap (if needed
-//!    at P7) is local.
-//! 3. **Testability**. Cluster / attribute / event IDs are well-known
-//!    integers in the Matter spec; we can validate the mapping against
-//!    the spec without a live controller.
-//!
-//! ## Spec versions tracked
-//!
-//! - **Matter Core Spec 1.3** (CSA, 2024) — the surface this module
-//!   targets. ID values below match §1.3 §A.1 Reserved Cluster IDs.
-//!
-//! Future Matter spec revisions that add biometric clusters (HR / BR)
-//! would expand `EntityKind::matter_mapping` to cover them. Today HR /
-//! BR have no Matter cluster and stay MQTT-only.
-
-mod bridge;
-mod clusters;
-mod commissioning;
-
-pub use bridge::{build_bridge_tree, BridgeTree, Endpoint, EndpointRef, NodeBranch};
-pub use clusters::{
-    matter_mapping, ClusterId, EndpointTypeId, MatterClusterMapping,
-};
-pub use commissioning::{ManualPairingCode, SetupCodeInput};
@@ -1,293 +0,0 @@
-//! Runtime configuration for the MQTT publisher, built from CLI args.
-
-use std::path::PathBuf;
-
-/// All knobs the MQTT publisher needs. Built by [`MqttConfig::from_args`]
-/// after [`crate::cli::Args`] parsing.
-#[derive(Debug, Clone)]
-pub struct MqttConfig {
-    pub host: String,
-    pub port: u16,
-    pub username: Option<String>,
-    pub password: Option<String>,
-    pub client_id: String,
-    pub discovery_prefix: String,
-    pub tls: TlsConfig,
-    pub refresh_secs: u64,
-    pub rates: PublishRates,
-    pub publish_pose: bool,
-    pub privacy_mode: bool,
-}
-
-/// TLS settings for the MQTT publisher.
-///
-/// `None` means plaintext. `Some(TlsBundle::SystemTrust)` means encrypt
-/// against the system trust store. `Some(TlsBundle::PinnedCa { ... })`
-/// means encrypt against a specific CA (the typical Cognitum Seed mTLS
-/// recipe).
-#[derive(Debug, Clone)]
-pub enum TlsConfig {
-    Off,
-    SystemTrust,
-    PinnedCa { ca_file: PathBuf },
-    MutualTls { ca_file: PathBuf, client_cert: PathBuf, client_key: PathBuf },
-}
-
-/// Per-entity publish rates (Hz). Zero means "publish on change only".
-#[derive(Debug, Clone, Copy)]
-pub struct PublishRates {
-    pub vitals_hz: f64,
-    pub motion_hz: f64,
-    pub count_hz: f64,
-    pub rssi_hz: f64,
-    pub pose_hz: f64,
-}
-
-impl Default for PublishRates {
-    fn default() -> Self {
-        Self {
-            vitals_hz: 0.2,
-            motion_hz: 1.0,
-            count_hz: 1.0,
-            rssi_hz: 0.1,
-            pose_hz: 1.0,
-        }
-    }
-}
-
-impl MqttConfig {
-    /// Build an [`MqttConfig`] from parsed [`crate::cli::Args`].
-    ///
-    /// Reads `mqtt_password_env` to resolve the broker password from the
-    /// environment so secrets never appear on the command line. Reads
-    /// `hostname()` via the `gethostname` crate if `mqtt_client_id` was
-    /// not supplied — we don't add a dep here, we let the publisher
-    /// supply the default lazily.
-    pub fn from_args(args: &crate::cli::Args) -> Self {
-        let password = std::env::var(&args.mqtt_password_env).ok();
-        let port = args.mqtt_port.unwrap_or(if args.mqtt_tls { 8883 } else { 1883 });
-        let tls = build_tls(args);
-        let client_id = args
-            .mqtt_client_id
-            .clone()
-            .unwrap_or_else(|| {
-                // Avoid a `gethostname` dep in P1 — fallback only.
-                format!("wifi-densepose-{}", std::process::id())
-            });
-
-        Self {
-            host: args.mqtt_host.clone(),
-            port,
-            username: args.mqtt_username.clone(),
-            password,
-            client_id,
-            discovery_prefix: args.mqtt_prefix.clone(),
-            tls,
-            refresh_secs: args.mqtt_refresh_secs,
-            rates: PublishRates {
-                vitals_hz: args.mqtt_rate_vitals,
-                motion_hz: args.mqtt_rate_motion,
-                count_hz: args.mqtt_rate_count,
-                rssi_hz: args.mqtt_rate_rssi,
-                pose_hz: args.mqtt_rate_pose,
-            },
-            publish_pose: args.mqtt_publish_pose,
-            privacy_mode: args.privacy_mode,
-        }
-    }
-
-    /// True iff this config is safe to start. Pre-flight validation that
-    /// runs before any network I/O so users get a clean error instead of
-    /// a connect failure 30 s later.
-    pub fn validate(&self) -> Result<(), MqttConfigError> {
-        if self.host.is_empty() {
-            return Err(MqttConfigError::EmptyHost);
-        }
-        if self.port == 0 {
-            return Err(MqttConfigError::InvalidPort(self.port));
-        }
-        if self.refresh_secs == 0 {
-            return Err(MqttConfigError::RefreshTooSmall);
-        }
-        for rate in [
-            self.rates.vitals_hz,
-            self.rates.motion_hz,
-            self.rates.count_hz,
-            self.rates.rssi_hz,
-            self.rates.pose_hz,
-        ] {
-            if !rate.is_finite() || rate < 0.0 {
-                return Err(MqttConfigError::InvalidRate(rate));
-            }
-        }
-        if !self.host.eq_ignore_ascii_case("localhost")
-            && !self.host.starts_with("127.")
-            && !self.host.starts_with("::1")
-            && matches!(self.tls, TlsConfig::Off)
-        {
-            // Per ADR-115 §3.9 / §9.5 — WARN now, hard-fail at v0.8.0.
-            // We return a non-fatal advisory; the caller decides.
-            return Err(MqttConfigError::PlaintextOnPublicHost {
-                host: self.host.clone(),
-            });
-        }
-        Ok(())
-    }
-}
-
-fn build_tls(args: &crate::cli::Args) -> TlsConfig {
-    if !args.mqtt_tls {
-        return TlsConfig::Off;
-    }
-    match (
-        args.mqtt_ca_file.as_ref(),
-        args.mqtt_client_cert.as_ref(),
-        args.mqtt_client_key.as_ref(),
-    ) {
-        (Some(ca), Some(cert), Some(key)) => TlsConfig::MutualTls {
-            ca_file: ca.clone(),
-            client_cert: cert.clone(),
-            client_key: key.clone(),
-        },
-        (Some(ca), None, None) => TlsConfig::PinnedCa { ca_file: ca.clone() },
-        _ => TlsConfig::SystemTrust,
-    }
-}
-
-/// Pre-flight validation errors.
-#[derive(Debug, thiserror::Error)]
-pub enum MqttConfigError {
-    #[error("MQTT broker host is empty")]
-    EmptyHost,
-    #[error("invalid MQTT broker port: {0}")]
-    InvalidPort(u16),
-    #[error("--mqtt-refresh-secs must be >= 1")]
-    RefreshTooSmall,
-    #[error("invalid MQTT publish rate: {0} Hz")]
-    InvalidRate(f64),
-    #[error(
-        "plaintext MQTT on non-localhost broker {host} is deprecated and will hard-fail in v0.8.0 \
-         (ADR-115 §3.9). Add --mqtt-tls to encrypt."
-    )]
-    PlaintextOnPublicHost { host: String },
-}
-
-impl MqttConfigError {
-    /// True for errors that block startup. False for advisories the user
-    /// can override (used for the v0.7.0 → v0.8.0 deprecation curve on
-    /// plaintext).
-    pub fn is_fatal(&self) -> bool {
-        !matches!(self, MqttConfigError::PlaintextOnPublicHost { .. })
-    }
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-    use clap::Parser;
-
-    fn parse(args: &[&str]) -> crate::cli::Args {
-        crate::cli::Args::parse_from(std::iter::once("sensing-server").chain(args.iter().copied()))
-    }
-
-    #[test]
-    fn from_args_defaults_localhost_1883() {
-        let cfg = MqttConfig::from_args(&parse(&[]));
-        assert_eq!(cfg.host, "localhost");
-        assert_eq!(cfg.port, 1883);
-        assert_eq!(cfg.discovery_prefix, "homeassistant");
-        assert!(matches!(cfg.tls, TlsConfig::Off));
-        assert_eq!(cfg.refresh_secs, 600);
-        assert_eq!(cfg.rates.vitals_hz, 0.2);
-        assert!(!cfg.publish_pose);
-        assert!(!cfg.privacy_mode);
-    }
-
-    #[test]
-    fn tls_flag_bumps_port_to_8883() {
-        let cfg = MqttConfig::from_args(&parse(&["--mqtt-tls"]));
-        assert_eq!(cfg.port, 8883);
-        assert!(matches!(cfg.tls, TlsConfig::SystemTrust));
-    }
-
-    #[test]
-    fn explicit_port_overrides_default() {
-        let cfg = MqttConfig::from_args(&parse(&["--mqtt-port", "8884"]));
-        assert_eq!(cfg.port, 8884);
-    }
-
-    #[test]
-    fn mtls_when_full_triplet_supplied() {
-        let cfg = MqttConfig::from_args(&parse(&[
-            "--mqtt-tls",
-            "--mqtt-ca-file", "/etc/ca.pem",
-            "--mqtt-client-cert", "/etc/client.pem",
-            "--mqtt-client-key", "/etc/client.key",
-        ]));
-        assert!(matches!(cfg.tls, TlsConfig::MutualTls { .. }));
-    }
-
-    #[test]
-    fn validate_rejects_empty_host() {
-        let mut cfg = MqttConfig::from_args(&parse(&[]));
-        cfg.host = String::new();
-        let err = cfg.validate().unwrap_err();
-        assert!(matches!(err, MqttConfigError::EmptyHost));
-        assert!(err.is_fatal());
-    }
-
-    #[test]
-    fn validate_rejects_zero_port() {
-        let mut cfg = MqttConfig::from_args(&parse(&[]));
-        cfg.port = 0;
-        assert!(matches!(cfg.validate(), Err(MqttConfigError::InvalidPort(0))));
-    }
-
-    #[test]
-    fn validate_localhost_plaintext_ok() {
-        let cfg = MqttConfig::from_args(&parse(&[]));
-        // localhost + plaintext is fine — no advisory.
-        assert!(cfg.validate().is_ok());
-    }
-
-    #[test]
-    fn validate_plaintext_public_advises_but_not_fatal() {
-        let cfg = MqttConfig::from_args(&parse(&["--mqtt-host", "broker.example.com"]));
-        let err = cfg.validate().unwrap_err();
-        assert!(matches!(err, MqttConfigError::PlaintextOnPublicHost { .. }));
-        assert!(!err.is_fatal(), "v0.7.0 should warn, not block (ADR-115 §3.9)");
-    }
-
-    #[test]
-    fn validate_public_tls_ok() {
-        let cfg = MqttConfig::from_args(&parse(&[
-            "--mqtt-host", "broker.example.com",
-            "--mqtt-tls",
-        ]));
-        assert!(cfg.validate().is_ok());
-    }
-
-    #[test]
-    fn validate_rejects_negative_rate() {
-        let mut cfg = MqttConfig::from_args(&parse(&[]));
-        cfg.rates.vitals_hz = -1.0;
-        assert!(matches!(cfg.validate(), Err(MqttConfigError::InvalidRate(_))));
-    }
-
-    #[test]
-    fn validate_rejects_nan_rate() {
-        let mut cfg = MqttConfig::from_args(&parse(&[]));
-        cfg.rates.motion_hz = f64::NAN;
-        assert!(matches!(cfg.validate(), Err(MqttConfigError::InvalidRate(_))));
-    }
-
-    #[test]
-    fn password_env_resolution() {
-        std::env::set_var("RUVIEW_TEST_MQTT_PW", "s3cret");
-        let cfg = MqttConfig::from_args(&parse(&[
-            "--mqtt-password-env", "RUVIEW_TEST_MQTT_PW",
-        ]));
-        assert_eq!(cfg.password.as_deref(), Some("s3cret"));
-        std::env::remove_var("RUVIEW_TEST_MQTT_PW");
-    }
-}
@@ -1,651 +0,0 @@
-//! HA MQTT auto-discovery payload generators.
-//!
-//! Per ADR-115 §3.1 — §3.4 each RuView node becomes one HA `device` and
-//! each capability (presence, person count, heart rate, breathing rate,
-//! motion, fall, RSSI, zone occupancy, pose) becomes one entity on that
-//! device. This module owns the JSON-serializable structures HA expects
-//! on the `homeassistant/<component>/<object_id>/<entity>/config` topic.
-//!
-//! The structures are `Serialize`-only; we never need to parse them
-//! back. Field names match Home Assistant's published MQTT-discovery
-//! schema (https://www.home-assistant.io/integrations/mqtt/#mqtt-discovery)
-//! pinned to the version the project tests against (v2025.5 as of this
-//! ADR; bump in `docs/integrations/home-assistant.md` when the test
-//! matrix moves).
-
-use serde::Serialize;
-
-use super::{MANUFACTURER, ORIGIN_NAME, SUPPORT_URL};
-
-/// HA component kinds we publish today. Strings match the HA URL slug.
-#[derive(Debug, Clone, Copy, PartialEq, Eq)]
-pub enum DiscoveryComponent {
-    BinarySensor,
-    Sensor,
-    Event,
-}
-
-impl DiscoveryComponent {
-    pub fn as_str(self) -> &'static str {
-        match self {
-            DiscoveryComponent::BinarySensor => "binary_sensor",
-            DiscoveryComponent::Sensor => "sensor",
-            DiscoveryComponent::Event => "event",
-        }
-    }
-}
-
-/// Top-level HA discovery payload. Serialised to JSON and published
-/// retained, QoS 1 on `<prefix>/<component>/<object_id>/<entity>/config`.
-///
-/// We only model the fields ADR-115 §3.3 examples touch. HA's schema has
-/// many more optional fields; we add them on a per-entity-need basis to
-/// keep payloads small (some retained brokers cap message size).
-#[derive(Debug, Clone, Serialize)]
-pub struct DiscoveryConfig {
-    pub name: String,
-    pub unique_id: String,
-    pub object_id: String,
-    pub state_topic: String,
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub availability_topic: Option<String>,
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub payload_available: Option<String>,
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub payload_not_available: Option<String>,
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub payload_on: Option<String>,
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub payload_off: Option<String>,
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub device_class: Option<String>,
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub state_class: Option<String>,
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub unit_of_measurement: Option<String>,
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub icon: Option<String>,
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub value_template: Option<String>,
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub json_attributes_topic: Option<String>,
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub event_types: Option<Vec<String>>,
-    pub qos: u8,
-    pub device: DeviceMeta,
-    pub origin: OriginMeta,
-}
-
-/// HA `device` block. Multiple entities pointing at the same
-/// `identifiers` are grouped into one device card in the HA UI.
-#[derive(Debug, Clone, Serialize)]
-pub struct DeviceMeta {
-    pub identifiers: Vec<String>,
-    pub name: String,
-    pub manufacturer: String,
-    pub model: String,
-    pub sw_version: String,
-    #[serde(skip_serializing_if = "Option::is_none")]
-    pub via_device: Option<String>,
-}
-
-/// HA `origin` block. Tells HA users which software emitted the entities.
-#[derive(Debug, Clone, Serialize)]
-pub struct OriginMeta {
-    pub name: String,
-    pub sw_version: String,
-    pub support_url: String,
-}
-
-/// Per-entity availability payload. Used as MQTT LWT so the broker
-/// publishes `offline` automatically if our connection drops.
-#[derive(Debug, Clone)]
-pub struct AvailabilityPayload {
-    pub topic: String,
-    pub online: &'static str,
-    pub offline: &'static str,
-}
-
-impl AvailabilityPayload {
-    pub fn for_entity(prefix: &str, component: DiscoveryComponent, node_id: &str, entity: &str) -> Self {
-        Self {
-            topic: format!(
-                "{prefix}/{}/wifi_densepose_{node_id}/{entity}/availability",
-                component.as_str()
-            ),
-            online: "online",
-            offline: "offline",
-        }
-    }
-}
-
-/// All entity kinds RuView publishes via MQTT. Used by [`DiscoveryBuilder`]
-/// to generate matching `config` and `state` topic strings.
-#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]
-pub enum EntityKind {
-    Presence,
-    PersonCount,
-    BreathingRate,
-    HeartRate,
-    MotionLevel,
-    MotionEnergy,
-    FallDetected,
-    PresenceScore,
-    Rssi,
-    ZoneOccupancy,
-    PoseKeypoints,
-    // Semantic primitives (ADR-115 §3.12).
-    SomeoneSleeping,
-    PossibleDistress,
-    RoomActive,
-    ElderlyInactivityAnomaly,
-    MeetingInProgress,
-    BathroomOccupied,
-    FallRiskElevated,
-    BedExit,
-    NoMovement,
-    MultiRoomTransition,
-}
-
-impl EntityKind {
-    pub fn topic_slug(self) -> &'static str {
-        match self {
-            EntityKind::Presence => "presence",
-            EntityKind::PersonCount => "person_count",
-            EntityKind::BreathingRate => "breathing_rate",
-            EntityKind::HeartRate => "heart_rate",
-            EntityKind::MotionLevel => "motion_level",
-            EntityKind::MotionEnergy => "motion_energy",
-            EntityKind::FallDetected => "fall",
-            EntityKind::PresenceScore => "presence_score",
-            EntityKind::Rssi => "rssi",
-            EntityKind::ZoneOccupancy => "zone_occupancy",
-            EntityKind::PoseKeypoints => "pose",
-            EntityKind::SomeoneSleeping => "someone_sleeping",
-            EntityKind::PossibleDistress => "possible_distress",
-            EntityKind::RoomActive => "room_active",
-            EntityKind::ElderlyInactivityAnomaly => "elderly_inactivity_anomaly",
-            EntityKind::MeetingInProgress => "meeting_in_progress",
-            EntityKind::BathroomOccupied => "bathroom_occupied",
-            EntityKind::FallRiskElevated => "fall_risk_elevated",
-            EntityKind::BedExit => "bed_exit",
-            EntityKind::NoMovement => "no_movement",
-            EntityKind::MultiRoomTransition => "multi_room_transition",
-        }
-    }
-
-    pub fn component(self) -> DiscoveryComponent {
-        match self {
-            // Boolean states → binary_sensor.
-            EntityKind::Presence
-            | EntityKind::ZoneOccupancy
-            | EntityKind::SomeoneSleeping
-            | EntityKind::PossibleDistress
-            | EntityKind::RoomActive
-            | EntityKind::ElderlyInactivityAnomaly
-            | EntityKind::MeetingInProgress
-            | EntityKind::BathroomOccupied
-            | EntityKind::NoMovement => DiscoveryComponent::BinarySensor,
-            // One-shot triggers → event.
-            EntityKind::FallDetected
-            | EntityKind::BedExit
-            | EntityKind::MultiRoomTransition => DiscoveryComponent::Event,
-            // Numeric measurements → sensor.
-            EntityKind::PersonCount
-            | EntityKind::BreathingRate
-            | EntityKind::HeartRate
-            | EntityKind::MotionLevel
-            | EntityKind::MotionEnergy
-            | EntityKind::PresenceScore
-            | EntityKind::Rssi
-            | EntityKind::PoseKeypoints
-            | EntityKind::FallRiskElevated => DiscoveryComponent::Sensor,
-        }
-    }
-
-    /// True iff this entity carries biometric data that `--privacy-mode`
-    /// must suppress per ADR-115 §3.10 and §3.12.3. Semantic primitives
-    /// stay published even in privacy mode because they're inferred
-    /// states, not raw values.
-    pub fn is_biometric(self) -> bool {
-        matches!(
-            self,
-            EntityKind::BreathingRate | EntityKind::HeartRate | EntityKind::PoseKeypoints
-        )
-    }
-
-    /// Human-readable HA entity name shown in the UI.
-    pub fn display_name(self) -> &'static str {
-        match self {
-            EntityKind::Presence => "Presence",
-            EntityKind::PersonCount => "Person count",
-            EntityKind::BreathingRate => "Breathing rate",
-            EntityKind::HeartRate => "Heart rate",
-            EntityKind::MotionLevel => "Motion level",
-            EntityKind::MotionEnergy => "Motion energy",
-            EntityKind::FallDetected => "Fall detected",
-            EntityKind::PresenceScore => "Presence score",
-            EntityKind::Rssi => "Signal strength",
-            EntityKind::ZoneOccupancy => "Zone occupancy",
-            EntityKind::PoseKeypoints => "Pose",
-            EntityKind::SomeoneSleeping => "Someone sleeping",
-            EntityKind::PossibleDistress => "Possible distress",
-            EntityKind::RoomActive => "Room active",
-            EntityKind::ElderlyInactivityAnomaly => "Elderly inactivity anomaly",
-            EntityKind::MeetingInProgress => "Meeting in progress",
-            EntityKind::BathroomOccupied => "Bathroom occupied",
-            EntityKind::FallRiskElevated => "Fall risk elevated",
-            EntityKind::BedExit => "Bed exit",
-            EntityKind::NoMovement => "No movement",
-            EntityKind::MultiRoomTransition => "Room transition",
-        }
-    }
-}
-
-/// Builds HA discovery payloads for a specific RuView node.
-pub struct DiscoveryBuilder<'a> {
-    pub discovery_prefix: &'a str,
-    pub node_id: &'a str,
-    pub node_friendly_name: Option<&'a str>,
-    pub sw_version: &'a str,
-    pub model: &'a str,
-    pub via_device: Option<&'a str>,
-}
-
-impl<'a> DiscoveryBuilder<'a> {
-    fn unique_id(&self, entity: EntityKind) -> String {
-        format!("wifi_densepose_{}_{}", self.node_id, entity.topic_slug())
-    }
-
-    fn state_topic(&self, entity: EntityKind) -> String {
-        format!(
-            "{}/{}/wifi_densepose_{}/{}/state",
-            self.discovery_prefix,
-            entity.component().as_str(),
-            self.node_id,
-            entity.topic_slug(),
-        )
-    }
-
-    pub fn config_topic(&self, entity: EntityKind) -> String {
-        format!(
-            "{}/{}/wifi_densepose_{}/{}/config",
-            self.discovery_prefix,
-            entity.component().as_str(),
-            self.node_id,
-            entity.topic_slug(),
-        )
-    }
-
-    pub fn availability_topic(&self, entity: EntityKind) -> String {
-        format!(
-            "{}/{}/wifi_densepose_{}/{}/availability",
-            self.discovery_prefix,
-            entity.component().as_str(),
-            self.node_id,
-            entity.topic_slug(),
-        )
-    }
-
-    fn device(&self) -> DeviceMeta {
-        let display = self
-            .node_friendly_name
-            .map(|n| n.to_string())
-            .unwrap_or_else(|| format!("RuView node {}", self.node_id));
-        DeviceMeta {
-            identifiers: vec![format!("wifi_densepose_{}", self.node_id)],
-            name: display,
-            manufacturer: MANUFACTURER.to_string(),
-            model: self.model.to_string(),
-            sw_version: self.sw_version.to_string(),
-            via_device: self.via_device.map(|s| s.to_string()),
-        }
-    }
-
-    fn origin(&self) -> OriginMeta {
-        OriginMeta {
-            name: ORIGIN_NAME.to_string(),
-            sw_version: env!("CARGO_PKG_VERSION").to_string(),
-            support_url: SUPPORT_URL.to_string(),
-        }
-    }
-
-    /// Build a discovery config payload for one entity on this node.
-    pub fn build(&self, entity: EntityKind) -> DiscoveryConfig {
-        let component = entity.component();
-        let mut cfg = DiscoveryConfig {
-            name: entity.display_name().to_string(),
-            unique_id: self.unique_id(entity),
-            object_id: self.unique_id(entity),
-            state_topic: self.state_topic(entity),
-            availability_topic: Some(self.availability_topic(entity)),
-            payload_available: Some("online".into()),
-            payload_not_available: Some("offline".into()),
-            payload_on: None,
-            payload_off: None,
-            device_class: None,
-            state_class: None,
-            unit_of_measurement: None,
-            icon: None,
-            value_template: None,
-            json_attributes_topic: None,
-            event_types: None,
-            qos: match component {
-                DiscoveryComponent::BinarySensor | DiscoveryComponent::Event => 1,
-                DiscoveryComponent::Sensor => 0,
-            },
-            device: self.device(),
-            origin: self.origin(),
-        };
-
-        match entity {
-            EntityKind::Presence
-            | EntityKind::ZoneOccupancy
-            | EntityKind::SomeoneSleeping
-            | EntityKind::RoomActive
-            | EntityKind::MeetingInProgress
-            | EntityKind::BathroomOccupied => {
-                cfg.payload_on = Some("ON".into());
-                cfg.payload_off = Some("OFF".into());
-                cfg.device_class = Some("occupancy".into());
-                cfg.icon = Some(match entity {
-                    EntityKind::SomeoneSleeping => "mdi:sleep",
-                    EntityKind::MeetingInProgress => "mdi:account-group",
-                    EntityKind::BathroomOccupied => "mdi:shower",
-                    EntityKind::RoomActive => "mdi:home-account",
-                    EntityKind::ZoneOccupancy => "mdi:map-marker",
-                    _ => "mdi:motion-sensor",
-                }.into());
-            }
-            EntityKind::PossibleDistress
-            | EntityKind::ElderlyInactivityAnomaly
-            | EntityKind::NoMovement => {
-                cfg.payload_on = Some("ON".into());
-                cfg.payload_off = Some("OFF".into());
-                cfg.device_class = Some("problem".into());
-                cfg.icon = Some("mdi:alert-octagon".into());
-            }
-            EntityKind::FallDetected => {
-                cfg.event_types = Some(vec!["fall_detected".into()]);
-                cfg.icon = Some("mdi:human-fall".into());
-            }
-            EntityKind::BedExit => {
-                cfg.event_types = Some(vec!["bed_exit".into()]);
-                cfg.icon = Some("mdi:bed-empty".into());
-            }
-            EntityKind::MultiRoomTransition => {
-                cfg.event_types = Some(vec!["transition".into()]);
-                cfg.icon = Some("mdi:transit-transfer".into());
-            }
-            EntityKind::PersonCount => {
-                cfg.state_class = Some("measurement".into());
-                cfg.unit_of_measurement = Some("persons".into());
-                cfg.icon = Some("mdi:account-group".into());
-                cfg.value_template = Some("{{ value_json.n_persons }}".into());
-            }
-            EntityKind::BreathingRate => {
-                cfg.state_class = Some("measurement".into());
-                cfg.unit_of_measurement = Some("bpm".into());
-                cfg.icon = Some("mdi:lungs".into());
-                cfg.value_template = Some("{{ value_json.bpm }}".into());
-                cfg.json_attributes_topic = Some(cfg.state_topic.clone());
-            }
-            EntityKind::HeartRate => {
-                cfg.state_class = Some("measurement".into());
-                cfg.unit_of_measurement = Some("bpm".into());
-                cfg.icon = Some("mdi:heart-pulse".into());
-                cfg.value_template = Some("{{ value_json.bpm }}".into());
-                cfg.json_attributes_topic = Some(cfg.state_topic.clone());
-            }
-            EntityKind::MotionLevel => {
-                cfg.state_class = Some("measurement".into());
-                cfg.unit_of_measurement = Some("%".into());
-                cfg.icon = Some("mdi:run".into());
-                cfg.value_template = Some("{{ value_json.level_pct }}".into());
-            }
-            EntityKind::MotionEnergy => {
-                cfg.state_class = Some("measurement".into());
-                cfg.icon = Some("mdi:waveform".into());
-                cfg.value_template = Some("{{ value_json.energy }}".into());
-            }
-            EntityKind::PresenceScore => {
-                cfg.state_class = Some("measurement".into());
-                cfg.unit_of_measurement = Some("%".into());
-                cfg.icon = Some("mdi:gauge".into());
-                cfg.value_template = Some("{{ value_json.score_pct }}".into());
-            }
-            EntityKind::Rssi => {
-                cfg.state_class = Some("measurement".into());
-                cfg.device_class = Some("signal_strength".into());
-                cfg.unit_of_measurement = Some("dBm".into());
-                cfg.icon = Some("mdi:wifi".into());
-                cfg.value_template = Some("{{ value_json.dbm }}".into());
-            }
-            EntityKind::PoseKeypoints => {
-                cfg.icon = Some("mdi:human".into());
-                cfg.json_attributes_topic = Some(cfg.state_topic.clone());
-                cfg.value_template = Some("{{ value_json.n_keypoints }}".into());
-            }
-            EntityKind::FallRiskElevated => {
-                cfg.state_class = Some("measurement".into());
-                cfg.unit_of_measurement = Some("score".into());
-                cfg.icon = Some("mdi:human-fall".into());
-                cfg.value_template = Some("{{ value_json.score }}".into());
-            }
-        }
-
-        cfg
-    }
-
-    /// All entity kinds this builder will publish, given a `privacy_mode`
-    /// flag and a `publish_pose` flag. Used by the publisher to drive the
-    /// discovery-emission loop.
-    pub fn enabled_entities(privacy_mode: bool, publish_pose: bool, semantic_disabled: &[String]) -> Vec<EntityKind> {
-        let all = [
-            EntityKind::Presence,
-            EntityKind::PersonCount,
-            EntityKind::BreathingRate,
-            EntityKind::HeartRate,
-            EntityKind::MotionLevel,
-            EntityKind::MotionEnergy,
-            EntityKind::FallDetected,
-            EntityKind::PresenceScore,
-            EntityKind::Rssi,
-            EntityKind::ZoneOccupancy,
-            EntityKind::PoseKeypoints,
-            EntityKind::SomeoneSleeping,
-            EntityKind::PossibleDistress,
-            EntityKind::RoomActive,
-            EntityKind::ElderlyInactivityAnomaly,
-            EntityKind::MeetingInProgress,
-            EntityKind::BathroomOccupied,
-            EntityKind::FallRiskElevated,
-            EntityKind::BedExit,
-            EntityKind::NoMovement,
-            EntityKind::MultiRoomTransition,
-        ];
-
-        all.into_iter()
-            .filter(|e| {
-                if privacy_mode && e.is_biometric() {
-                    return false;
-                }
-                if *e == EntityKind::PoseKeypoints && !publish_pose {
-                    return false;
-                }
-                if let Some(slug) = semantic_slug_for(*e) {
-                    if semantic_disabled.iter().any(|d| d == slug) {
-                        return false;
-                    }
-                }
-                true
-            })
-            .collect()
-    }
-}
-
-/// For an entity kind, return the `--no-semantic <PRIMITIVE>` slug it
-/// would be disabled by, or `None` if it's not a semantic primitive.
-fn semantic_slug_for(e: EntityKind) -> Option<&'static str> {
-    Some(match e {
-        EntityKind::SomeoneSleeping => "sleeping",
-        EntityKind::PossibleDistress => "distress",
-        EntityKind::RoomActive => "room_active",
-        EntityKind::ElderlyInactivityAnomaly => "elderly_anomaly",
-        EntityKind::MeetingInProgress => "meeting",
-        EntityKind::BathroomOccupied => "bathroom",
-        EntityKind::FallRiskElevated => "fall_risk",
-        EntityKind::BedExit => "bed_exit",
-        EntityKind::NoMovement => "no_movement",
-        EntityKind::MultiRoomTransition => "multi_room",
-        _ => return None,
-    })
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-    use serde_json::Value;
-
-    fn builder() -> DiscoveryBuilder<'static> {
-        DiscoveryBuilder {
-            discovery_prefix: "homeassistant",
-            node_id: "aabbccddeeff",
-            node_friendly_name: Some("Bedroom"),
-            sw_version: "v0.7.0",
-            model: "ESP32-S3 CSI node",
-            via_device: Some("cognitum_seed_1"),
-        }
-    }
-
-    #[test]
-    fn presence_discovery_payload_shape() {
-        let b = builder();
-        let cfg = b.build(EntityKind::Presence);
-        let j: Value = serde_json::to_value(&cfg).unwrap();
-        assert_eq!(j["name"], "Presence");
-        assert_eq!(j["unique_id"], "wifi_densepose_aabbccddeeff_presence");
-        assert_eq!(j["device_class"], "occupancy");
-        assert_eq!(j["payload_on"], "ON");
-        assert_eq!(j["payload_off"], "OFF");
-        assert_eq!(j["qos"], 1);
-        assert_eq!(
-            j["state_topic"],
-            "homeassistant/binary_sensor/wifi_densepose_aabbccddeeff/presence/state"
-        );
-        assert_eq!(j["device"]["identifiers"][0], "wifi_densepose_aabbccddeeff");
-        assert_eq!(j["device"]["name"], "Bedroom");
-        assert_eq!(j["device"]["via_device"], "cognitum_seed_1");
-        assert_eq!(j["origin"]["name"], "wifi-densepose-sensing-server");
-    }
-
-    #[test]
-    fn heart_rate_discovery_payload_shape() {
-        let b = builder();
-        let cfg = b.build(EntityKind::HeartRate);
-        let j: Value = serde_json::to_value(&cfg).unwrap();
-        assert_eq!(j["unit_of_measurement"], "bpm");
-        assert_eq!(j["state_class"], "measurement");
-        assert_eq!(j["value_template"], "{{ value_json.bpm }}");
-        assert_eq!(j["qos"], 0);
-        assert!(j["json_attributes_topic"].as_str().unwrap().ends_with("/state"));
-    }
-
-    #[test]
-    fn fall_event_payload_uses_event_component_and_types() {
-        let b = builder();
-        let cfg = b.build(EntityKind::FallDetected);
-        let j: Value = serde_json::to_value(&cfg).unwrap();
-        assert!(j["state_topic"].as_str().unwrap().contains("/event/"));
-        assert_eq!(j["event_types"][0], "fall_detected");
-        assert_eq!(j["qos"], 1);
-    }
-
-    #[test]
-    fn semantic_primitive_uses_problem_class_for_distress() {
-        let b = builder();
-        let cfg = b.build(EntityKind::PossibleDistress);
-        let j: Value = serde_json::to_value(&cfg).unwrap();
-        assert_eq!(j["device_class"], "problem");
-        assert_eq!(j["payload_on"], "ON");
-        assert_eq!(j["payload_off"], "OFF");
-    }
-
-    #[test]
-    fn enabled_entities_default_excludes_pose_and_includes_all_others() {
-        let entities = DiscoveryBuilder::enabled_entities(false, false, &[]);
-        assert!(!entities.contains(&EntityKind::PoseKeypoints));
-        assert!(entities.contains(&EntityKind::Presence));
-        assert!(entities.contains(&EntityKind::HeartRate));
-        assert!(entities.contains(&EntityKind::SomeoneSleeping));
-    }
-
-    #[test]
-    fn privacy_mode_strips_biometrics() {
-        let entities = DiscoveryBuilder::enabled_entities(true, true, &[]);
-        for e in &entities {
-            assert!(!e.is_biometric(), "biometric {:?} leaked with privacy_mode", e);
-        }
-        // Semantic primitives must remain available (ADR-115 §3.12.3).
-        assert!(entities.contains(&EntityKind::SomeoneSleeping));
-        assert!(entities.contains(&EntityKind::BathroomOccupied));
-    }
-
-    #[test]
-    fn no_semantic_disables_specific_primitive() {
-        let disabled = vec!["distress".to_string(), "sleeping".to_string()];
-        let entities = DiscoveryBuilder::enabled_entities(false, false, &disabled);
-        assert!(!entities.contains(&EntityKind::PossibleDistress));
-        assert!(!entities.contains(&EntityKind::SomeoneSleeping));
-        // Raw signals untouched.
-        assert!(entities.contains(&EntityKind::Presence));
-    }
-
-    #[test]
-    fn topic_components_match_entity_kind() {
-        // binary_sensor for booleans.
-        assert_eq!(EntityKind::Presence.component(), DiscoveryComponent::BinarySensor);
-        assert_eq!(EntityKind::SomeoneSleeping.component(), DiscoveryComponent::BinarySensor);
-        // event for one-shots.
-        assert_eq!(EntityKind::FallDetected.component(), DiscoveryComponent::Event);
-        assert_eq!(EntityKind::BedExit.component(), DiscoveryComponent::Event);
-        // sensor for measurements.
-        assert_eq!(EntityKind::HeartRate.component(), DiscoveryComponent::Sensor);
-        assert_eq!(EntityKind::Rssi.component(), DiscoveryComponent::Sensor);
-    }
-
-    #[test]
-    fn discovery_config_serialises_without_null_fields() {
-        let b = builder();
-        let cfg = b.build(EntityKind::Presence);
-        let j = serde_json::to_string(&cfg).unwrap();
-        // skip_serializing_if = "Option::is_none" must hide unused fields
-        // so retained payloads stay compact on small brokers.
-        assert!(!j.contains("\"event_types\":null"));
-        assert!(!j.contains("\"unit_of_measurement\":null"));
-        assert!(!j.contains("\"value_template\":null"));
-    }
-
-    #[test]
-    fn availability_topic_matches_state_topic_path() {
-        let b = builder();
-        let state = format!(
-            "homeassistant/binary_sensor/wifi_densepose_aabbccddeeff/presence/state"
-        );
-        let avail = b.availability_topic(EntityKind::Presence);
-        // Must differ only in suffix.
-        assert_eq!(
-            state.trim_end_matches("/state"),
-            avail.trim_end_matches("/availability"),
-        );
-    }
-
-    #[test]
-    fn unique_id_uses_namespaced_node_prefix() {
-        let b = builder();
-        let cfg = b.build(EntityKind::Rssi);
-        assert!(cfg.unique_id.starts_with("wifi_densepose_"));
-        // ADR-115 §7 — namespace prevents collision with other HA devices.
-        assert!(cfg.unique_id.contains(b.node_id));
-    }
-}
@@ -1,73 +0,0 @@
-//! ADR-115 §2 — MQTT auto-discovery publisher (HA-DISCO).
-//!
-//! This module implements the dual-protocol Home Assistant integration's
-//! primary path: MQTT + HA auto-discovery. It owns the full lifecycle:
-//!
-//! 1. Connect to a user-supplied broker with optional TLS / mTLS.
-//! 2. Publish HA discovery `config` topics (retained) on connect and at
-//!    a refresh interval, so HA auto-creates one device + N entities per
-//!    RuView node.
-//! 3. Translate `sensing-server` broadcast messages (`edge_vitals`,
-//!    `pose_data`, `sensing_update`) into per-entity state messages with
-//!    rate limits.
-//! 4. Maintain a `availability` topic per entity with LWT for offline
-//!    detection.
-//!
-//! The module is gated behind the `mqtt` Cargo feature so the default
-//! `sensing-server` binary stays small for users who don't need HA
-//! integration. CLI flags parse unconditionally; the publisher is a
-//! no-op without the feature.
-//!
-//! ## Layout
-//!
-//! - [`discovery`] — HA discovery payload generators per entity type
-//! - [`state`]     — per-entity state-message encoders + rate limiter
-//! - [`publisher`] — connection lifecycle + topic publication
-//! - [`privacy`]   — biometric stripping per `--privacy-mode`
-//! - [`config`]    — `MqttConfig` struct fed by [`crate::cli::Args`]
-//!
-//! ## Cross-protocol coupling
-//!
-//! The semantic inference layer (ADR-115 §3.12, future `crate::semantic`)
-//! emits primitive state changes onto a `tokio::broadcast` channel that
-//! this module also subscribes to. Same channel is consumed by the Matter
-//! Bridge (ADR-115 §3.11, future `crate::matter`), so adding a new
-//! semantic primitive automatically flows to all surfaces.
-
-pub mod config;
-pub mod discovery;
-pub mod privacy;
-pub mod security;
-// State encoders + rate limiter compile without rumqttc, so they're
-// available for testing under `--no-default-features`. Only the
-// publisher itself (which holds the `rumqttc::AsyncClient`) needs the
-// `mqtt` feature.
-pub mod state;
-
-#[cfg(feature = "mqtt")]
-pub mod publisher;
-
-pub use config::MqttConfig;
-pub use discovery::{
-    AvailabilityPayload, DeviceMeta, DiscoveryComponent, DiscoveryConfig, OriginMeta,
-};
-
-/// Stable origin string written into every HA discovery payload's `origin`
-/// block so HA users can see which RuView version emitted the entities.
-pub const ORIGIN_NAME: &str = "wifi-densepose-sensing-server";
-
-/// Stable manufacturer string written into every HA discovery payload's
-/// `device` block.
-pub const MANUFACTURER: &str = "ruvnet";
-
-/// Stable `support_url` written into every HA discovery payload's `origin`
-/// block. Resolves to the HACS Python integration's follow-on repository
-/// per ADR-115 §9.3.
-pub const SUPPORT_URL: &str = "https://github.com/ruvnet/hass-wifi-densepose";
-
-/// Stable HA discovery topic prefix default. Maintainer-accepted in
-/// ADR-115 §9.2 — ship Home Assistant's own default rather than a
-/// RuView-namespaced one, so the integration is plug-and-play with a
-/// stock Mosquitto add-on. Operators with custom HA setups can override
-/// via `--mqtt-prefix`.
-pub const DEFAULT_DISCOVERY_PREFIX: &str = "homeassistant";
@@ -1,103 +0,0 @@
-//! Privacy-mode filter for outbound MQTT (and Matter) state messages.
-//!
-//! Implements the ADR-106 primitive-isolation contract at the integration
-//! boundary, gated by [`crate::cli::Args::privacy_mode`]. When the flag is
-//! set, biometric channels (HR, BR, raw pose keypoints) are stripped
-//! from every outbound message *and* their entities are never discovered
-//! by Home Assistant — `discovery.rs::DiscoveryBuilder::enabled_entities`
-//! returns the filtered set.
-//!
-//! Semantic primitives (someone-sleeping, possible-distress, etc) stay
-//! enabled in privacy mode because they're inferred *states*, not raw
-//! biometric values. The inference runs server-side and only the boolean
-//! / numeric state crosses the wire. This is the key design choice that
-//! makes ADR-115 §3.12 enterprise- and healthcare-deployable.
-
-use super::discovery::EntityKind;
-
-/// Decision for one outbound publication.
-#[derive(Debug, Clone, Copy, PartialEq, Eq)]
-pub enum PublishDecision {
-    /// Send as-is.
-    Publish,
-    /// Drop silently (entity is suppressed by privacy mode).
-    Suppress,
-}
-
-/// Decide whether an entity may be published given a privacy-mode flag.
-///
-/// Discovery and state share the same filter so an HA controller can't
-/// learn from the absence of state that the entity might exist with
-/// different filters in place — if it's stripped, it's stripped at every
-/// layer.
-pub fn decide(entity: EntityKind, privacy_mode: bool) -> PublishDecision {
-    if privacy_mode && entity.is_biometric() {
-        PublishDecision::Suppress
-    } else {
-        PublishDecision::Publish
-    }
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-
-    #[test]
-    fn privacy_off_publishes_everything() {
-        for e in [
-            EntityKind::Presence,
-            EntityKind::HeartRate,
-            EntityKind::BreathingRate,
-            EntityKind::PoseKeypoints,
-            EntityKind::SomeoneSleeping,
-            EntityKind::PossibleDistress,
-            EntityKind::FallDetected,
-        ] {
-            assert_eq!(decide(e, false), PublishDecision::Publish);
-        }
-    }
-
-    #[test]
-    fn privacy_on_suppresses_biometrics_only() {
-        // HR / BR / pose keypoints → suppressed.
-        assert_eq!(decide(EntityKind::HeartRate, true), PublishDecision::Suppress);
-        assert_eq!(decide(EntityKind::BreathingRate, true), PublishDecision::Suppress);
-        assert_eq!(decide(EntityKind::PoseKeypoints, true), PublishDecision::Suppress);
-    }
-
-    #[test]
-    fn privacy_on_keeps_non_biometric_signals() {
-        for e in [
-            EntityKind::Presence,
-            EntityKind::PersonCount,
-            EntityKind::MotionLevel,
-            EntityKind::Rssi,
-            EntityKind::ZoneOccupancy,
-            EntityKind::FallDetected,
-            EntityKind::PresenceScore,
-        ] {
-            assert_eq!(decide(e, true), PublishDecision::Publish, "{:?} should not be suppressed", e);
-        }
-    }
-
-    #[test]
-    fn privacy_on_keeps_semantic_primitives() {
-        // Per ADR-115 §3.12.3 — semantic primitives are *inferred* states,
-        // not raw biometrics, so they remain available in privacy mode.
-        // This is the core privacy win of HA-MIND.
-        for e in [
-            EntityKind::SomeoneSleeping,
-            EntityKind::PossibleDistress,
-            EntityKind::RoomActive,
-            EntityKind::ElderlyInactivityAnomaly,
-            EntityKind::MeetingInProgress,
-            EntityKind::BathroomOccupied,
-            EntityKind::FallRiskElevated,
-            EntityKind::BedExit,
-            EntityKind::NoMovement,
-            EntityKind::MultiRoomTransition,
-        ] {
-            assert_eq!(decide(e, true), PublishDecision::Publish, "{:?} should not be suppressed", e);
-        }
-    }
-}
@@ -1,298 +0,0 @@
-//! MQTT connection lifecycle + topic publication (ADR-115 §2 / §3.5 / §3.6).
-//!
-//! Gated behind `--features mqtt` because it pulls in `rumqttc`. The
-//! consumer is the broadcast channel `sensing-server` already writes to
-//! in `main.rs` (the same channel the WebSocket handler subscribes to —
-//! see ADR-115 §1 for the message types).
-//!
-//! ## Lifecycle
-//!
-//! 1. **Connect**: build [`rumqttc::MqttOptions`] from [`MqttConfig`],
-//!    install LWT on every entity's availability topic, set keepalive.
-//! 2. **Discovery**: emit one retained discovery `config` topic per
-//!    enabled entity per known node. Re-emit every `refresh_secs`.
-//! 3. **Availability heartbeat**: publish `online` retained on every
-//!    availability topic on connect, and re-publish every 30 s so HA can
-//!    detect zombie sessions.
-//! 4. **State publication**: subscribe to the broadcast channel; for
-//!    each inbound message project it into a [`VitalsSnapshot`], pass
-//!    through the privacy filter, gate by [`RateLimiter`], encode via
-//!    [`StateEncoder`], publish.
-//!
-//! ## Reconnect strategy
-//!
-//! `rumqttc::EventLoop` reconnects automatically with backoff. After a
-//! successful reconnect we re-publish discovery (retained config topics
-//! survive at the broker, but a fresh HA install that came online after
-//! we last refreshed needs them) and reset the rate limiter so the
-//! first post-reconnect sample emits promptly.
-
-use std::sync::Arc;
-use std::time::{Duration, Instant};
-
-use rumqttc::{AsyncClient, ClientError, EventLoop, MqttOptions, QoS, Transport};
-use tokio::sync::broadcast;
-use tokio::task::JoinHandle;
-use tracing::{error, info, warn};
-
-use super::config::{MqttConfig, TlsConfig};
-use super::discovery::{DiscoveryBuilder, EntityKind};
-use super::state::{RateLimiter, StateEncoder, StateMessage, VitalsSnapshot};
-
-/// Heartbeat cadence for availability re-publication (per §3.6).
-const AVAILABILITY_HEARTBEAT: Duration = Duration::from_secs(30);
-
-/// Build a `rumqttc::MqttOptions` from validated [`MqttConfig`].
-fn build_mqtt_options(cfg: &MqttConfig) -> MqttOptions {
-    let mut opts = MqttOptions::new(&cfg.client_id, &cfg.host, cfg.port);
-    opts.set_keep_alive(Duration::from_secs(30));
-    opts.set_clean_session(true);
-
-    if let (Some(u), Some(p)) = (cfg.username.as_deref(), cfg.password.as_deref()) {
-        opts.set_credentials(u, p);
-    } else if let Some(u) = cfg.username.as_deref() {
-        opts.set_credentials(u, "");
-    }
-
-    if !matches!(cfg.tls, TlsConfig::Off) {
-        // We always use rustls (matches `ureq` in this crate). The
-        // specific cert / CA wiring is done by the runtime constructor;
-        // here we just flip the transport.
-        opts.set_transport(Transport::tls_with_default_config());
-    }
-
-    opts
-}
-
-/// One node's per-entity availability topics, pre-computed at startup so
-/// the heartbeat loop doesn't allocate per tick.
-struct NodeAvailability {
-    online_topics: Vec<String>,
-}
-
-impl NodeAvailability {
-    fn for_builder(b: &DiscoveryBuilder<'_>, entities: &[EntityKind]) -> Self {
-        let online_topics = entities
-            .iter()
-            .map(|e| b.availability_topic(*e))
-            .collect();
-        Self { online_topics }
-    }
-}
-
-/// Spawn the MQTT publisher background task. Returns the join handle so
-/// the caller can `await` it on shutdown. Errors during connection are
-/// retried internally by `rumqttc::EventLoop`.
-pub fn spawn(
-    cfg: Arc<MqttConfig>,
-    builder_owned: OwnedDiscoveryBuilder,
-    state_rx: broadcast::Receiver<VitalsSnapshot>,
-) -> JoinHandle<()> {
-    tokio::spawn(async move {
-        run(cfg, builder_owned, state_rx).await;
-    })
-}
-
-/// Owned twin of [`DiscoveryBuilder`] so the publisher task doesn't need
-/// to borrow from a stack frame the user holds. Cloned cheaply per
-/// reconnect.
-#[derive(Debug, Clone)]
-pub struct OwnedDiscoveryBuilder {
-    pub discovery_prefix: String,
-    pub node_id: String,
-    pub node_friendly_name: Option<String>,
-    pub sw_version: String,
-    pub model: String,
-    pub via_device: Option<String>,
-}
-
-impl OwnedDiscoveryBuilder {
-    pub fn as_borrowed(&self) -> DiscoveryBuilder<'_> {
-        DiscoveryBuilder {
-            discovery_prefix: &self.discovery_prefix,
-            node_id: &self.node_id,
-            node_friendly_name: self.node_friendly_name.as_deref(),
-            sw_version: &self.sw_version,
-            model: &self.model,
-            via_device: self.via_device.as_deref(),
-        }
-    }
-}
-
-/// Core run loop. Pumps the broadcast channel + the MQTT event loop in
-/// the same `select!` so we never block one on the other.
-async fn run(
-    cfg: Arc<MqttConfig>,
-    builder_owned: OwnedDiscoveryBuilder,
-    mut state_rx: broadcast::Receiver<VitalsSnapshot>,
-) {
-    let opts = build_mqtt_options(&cfg);
-    let (client, mut eventloop): (AsyncClient, EventLoop) = AsyncClient::new(opts, 256);
-
-    let builder_borrowed = builder_owned.as_borrowed();
-    let entities = DiscoveryBuilder::enabled_entities(
-        cfg.privacy_mode,
-        cfg.publish_pose,
-        &[], // no_semantic — wire from cli::Args in P3.5
-    );
-
-    if let Err(e) = publish_all_discovery(&client, &builder_borrowed, &entities).await {
-        warn!("[mqtt] initial discovery publish failed: {e}");
-    }
-    let avail = NodeAvailability::for_builder(&builder_borrowed, &entities);
-    if let Err(e) = publish_availability(&client, &avail, "online").await {
-        warn!("[mqtt] initial availability publish failed: {e}");
-    }
-
-    let mut rate_limiter = RateLimiter::new();
-    let mut last_heartbeat = Instant::now();
-    let mut last_refresh = Instant::now();
-    let start_instant = Instant::now();
-
-    info!(
-        host = %cfg.host,
-        port = cfg.port,
-        prefix = %cfg.discovery_prefix,
-        entities = entities.len(),
-        privacy = cfg.privacy_mode,
-        "[mqtt] publisher started",
-    );
-
-    loop {
-        tokio::select! {
-            biased;
-
-            // Pump the rumqttc event loop. Errors trigger automatic
-            // reconnect; we just log and continue.
-            ev = eventloop.poll() => {
-                match ev {
-                    Ok(_) => {}
-                    Err(e) => {
-                        error!("[mqtt] event loop error, will reconnect: {e}");
-                        rate_limiter.reset();
-                        // Brief backoff before next poll attempt.
-                        tokio::time::sleep(Duration::from_millis(500)).await;
-                    }
-                }
-            }
-
-            // Periodic heartbeat / discovery refresh.
-            _ = tokio::time::sleep(Duration::from_secs(1)) => {
-                if last_heartbeat.elapsed() >= AVAILABILITY_HEARTBEAT {
-                    if let Err(e) = publish_availability(&client, &avail, "online").await {
-                        warn!("[mqtt] heartbeat publish failed: {e}");
-                    }
-                    last_heartbeat = Instant::now();
-                }
-                if last_refresh.elapsed() >= Duration::from_secs(cfg.refresh_secs) {
-                    if let Err(e) = publish_all_discovery(&client, &builder_borrowed, &entities).await {
-                        warn!("[mqtt] discovery refresh failed: {e}");
-                    }
-                    last_refresh = Instant::now();
-                }
-            }
-
-            // Inbound state snapshot from the rest of sensing-server.
-            recv = state_rx.recv() => {
-                match recv {
-                    Ok(snap) => {
-                        let elapsed = start_instant.elapsed();
-                        publish_snapshot(&client, &builder_borrowed, &snap, &cfg, &mut rate_limiter, elapsed).await;
-                    }
-                    Err(broadcast::error::RecvError::Lagged(n)) => {
-                        warn!("[mqtt] lagged behind broadcast by {n} messages — dropped");
-                    }
-                    Err(broadcast::error::RecvError::Closed) => {
-                        info!("[mqtt] broadcast channel closed, draining");
-                        // Publish offline before exit.
-                        let _ = publish_availability(&client, &avail, "offline").await;
-                        let _ = client.disconnect().await;
-                        return;
-                    }
-                }
-            }
-        }
-    }
-}
-
-async fn publish_all_discovery(
-    client: &AsyncClient,
-    b: &DiscoveryBuilder<'_>,
-    entities: &[EntityKind],
-) -> Result<(), ClientError> {
-    for &e in entities {
-        let cfg = b.build(e);
-        let topic = b.config_topic(e);
-        let payload = serde_json::to_string(&cfg).expect("discovery payload always serialises");
-        client.publish(&topic, QoS::AtLeastOnce, true, payload).await?;
-    }
-    Ok(())
-}
-
-async fn publish_availability(
-    client: &AsyncClient,
-    avail: &NodeAvailability,
-    state: &str,
-) -> Result<(), ClientError> {
-    for topic in &avail.online_topics {
-        client.publish(topic, QoS::AtLeastOnce, true, state).await?;
-    }
-    Ok(())
-}
-
-async fn publish_snapshot(
-    client: &AsyncClient,
-    b: &DiscoveryBuilder<'_>,
-    snap: &VitalsSnapshot,
-    cfg: &MqttConfig,
-    rl: &mut RateLimiter,
-    elapsed: Duration,
-) {
-    let encoder = StateEncoder { builder: b };
-
-    // Binary: presence (change-only — caller is responsible for detecting
-    // change, but we always publish here because broadcast already debounces
-    // and HA will dedup retained equal values harmlessly).
-    if let Some(m) = encoder.boolean(EntityKind::Presence, snap.presence) {
-        let _ = publish_state(client, &m).await;
-    }
-
-    // Event: fall.
-    if snap.fall_detected {
-        if let Some(m) = encoder.event(
-            EntityKind::FallDetected,
-            "fall_detected",
-            snap.timestamp_ms,
-            Some(snap.vital_confidence),
-        ) {
-            let _ = publish_state(client, &m).await;
-        }
-    }
-
-    // Numeric rate-limited entities.
-    for (entity, allowed) in [
-        (EntityKind::PersonCount, rl.allow(EntityKind::PersonCount, elapsed, &cfg.rates)),
-        (EntityKind::HeartRate, !cfg.privacy_mode && rl.allow(EntityKind::HeartRate, elapsed, &cfg.rates)),
-        (EntityKind::BreathingRate, !cfg.privacy_mode && rl.allow(EntityKind::BreathingRate, elapsed, &cfg.rates)),
-        (EntityKind::MotionLevel, rl.allow(EntityKind::MotionLevel, elapsed, &cfg.rates)),
-        (EntityKind::MotionEnergy, rl.allow(EntityKind::MotionEnergy, elapsed, &cfg.rates)),
-        (EntityKind::PresenceScore, rl.allow(EntityKind::PresenceScore, elapsed, &cfg.rates)),
-        (EntityKind::Rssi, rl.allow(EntityKind::Rssi, elapsed, &cfg.rates)),
-    ] {
-        if !allowed {
-            continue;
-        }
-        if let Some(m) = encoder.numeric(entity, snap) {
-            let _ = publish_state(client, &m).await;
-        }
-    }
-}
-
-async fn publish_state(client: &AsyncClient, m: &StateMessage) -> Result<(), ClientError> {
-    let qos = match m.qos {
-        0 => QoS::AtMostOnce,
-        1 => QoS::AtLeastOnce,
-        _ => QoS::ExactlyOnce,
-    };
-    client.publish(&m.topic, qos, m.retain, m.payload.clone()).await
-}
@@ -1,326 +0,0 @@
-//! Security invariants for the MQTT publisher (ADR-115 §3.9 / §7).
-//!
-//! Everything that's user-facing on the wire must go through one of
-//! these checks before publish. The checks are pure functions so they
-//! can be exercised by both the unit-test suite and the integration
-//! test running against a real broker.
-//!
-//! ## Invariants enforced here
-//!
-//! 1. **Topic safety.** A node_id or zone tag that contains `+`, `#`,
-//!    or `\0` would corrupt MQTT topic semantics. We reject those at
-//!    config-validation time so a malicious payload from upstream can't
-//!    inject a subscription wildcard.
-//! 2. **Payload size.** HA's discovery schema doesn't have an explicit
-//!    cap, but most brokers default to 256 KB max message size. We
-//!    refuse to publish anything > 32 KB to stay well below that, and
-//!    log a `WARN` so the operator can investigate.
-//! 3. **Credential hygiene.** Passwords supplied directly via flag
-//!    (rather than via env) are rejected — they'd appear in `ps`
-//!    output, shell history, and (worse) syslog if a process supervisor
-//!    captures argv. `--mqtt-password-env <VAR>` is the only supported
-//!    path.
-//! 4. **TLS on non-localhost.** `MqttConfig::validate` already returns
-//!    `PlaintextOnPublicHost` advisory. This module promotes it to
-//!    fatal when `RUVIEW_MQTT_STRICT_TLS=1` (the planned v0.8.0
-//!    default per ADR §9.5).
-
-use std::path::Path;
-
-use super::config::{MqttConfig, MqttConfigError, TlsConfig};
-
-/// Max payload bytes we'll publish on any topic. Discovery configs are
-/// the largest payloads we emit (~1 KB each); pose attribute payloads
-/// can be larger when 17 keypoints × 3 floats are included.
-pub const MAX_PUBLISH_BYTES: usize = 32 * 1024;
-
-/// Reject characters that have MQTT-wildcard or NUL meaning.
-pub fn topic_segment_is_safe(s: &str) -> bool {
-    !s.is_empty()
-        && !s.contains('+')
-        && !s.contains('#')
-        && !s.contains('\0')
-        && !s.contains('/')   // segments must not embed separators
-}
-
-/// Reject paths that look like environment-leak vectors (NUL, newline).
-pub fn path_is_safe(p: &Path) -> bool {
-    let s = match p.to_str() {
-        Some(s) => s,
-        None => return false, // non-UTF-8 path — refuse
-    };
-    !s.contains('\0') && !s.contains('\n')
-}
-
-/// Reject anything that smells like an inline password (not env-resolved).
-pub fn password_via_env_only(cli_password: Option<&str>) -> Result<(), MqttConfigError> {
-    if cli_password.is_some() {
-        // We never accept a `--mqtt-password` flag in the CLI surface.
-        // This guard exists so future refactors that add one fail loud.
-        return Err(MqttConfigError::EmptyHost); // reuse — semantic error covered in §lints
-    }
-    Ok(())
-}
-
-/// One-shot pre-publish audit. Call before any I/O. Returns the first
-/// failure or Ok(()) when every invariant holds.
-pub fn audit(cfg: &MqttConfig) -> Result<(), MqttConfigError> {
-    // Basic validation from MqttConfig (host, port, rate sanity, TLS).
-    cfg.validate()?;
-
-    // STRICT_TLS override — promotes the §9.5 advisory to fatal.
-    if std::env::var("RUVIEW_MQTT_STRICT_TLS").as_deref() == Ok("1")
-        && matches!(cfg.tls, TlsConfig::Off)
-        && !cfg.host.eq_ignore_ascii_case("localhost")
-        && !cfg.host.starts_with("127.")
-        && !cfg.host.starts_with("::1")
-    {
-        return Err(MqttConfigError::PlaintextOnPublicHost {
-            host: cfg.host.clone(),
-        });
-    }
-
-    // Path safety.
-    if let Some(p) = &cfg.password { let _ = p; }
-    if let Some(client_id) = Some(&cfg.client_id) {
-        if !topic_segment_is_safe(client_id) {
-            return Err(MqttConfigError::EmptyHost); // reuse: replace once dedicated variant added
-        }
-    }
-
-    // Topic prefix safety.
-    if !cfg.discovery_prefix.chars().all(|c| {
-        c.is_ascii_alphanumeric() || c == '_' || c == '-' || c == '/'
-    }) {
-        return Err(MqttConfigError::EmptyHost);
-    }
-
-    Ok(())
-}
-
-/// Hard cap on outbound payload size. Used by the publisher just before
-/// `client.publish(...)`. Returns the truncation byte count if the
-/// payload exceeds the limit (so the publisher can drop with a `WARN`
-/// rather than crash).
-pub fn check_payload_size(payload: &[u8]) -> Result<(), usize> {
-    if payload.len() > MAX_PUBLISH_BYTES {
-        Err(payload.len())
-    } else {
-        Ok(())
-    }
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-    use crate::mqtt::config::{PublishRates, TlsConfig};
-
-    fn base_cfg() -> MqttConfig {
-        MqttConfig {
-            host: "localhost".into(),
-            port: 1883,
-            username: None,
-            password: None,
-            client_id: "test-client".into(),
-            discovery_prefix: "homeassistant".into(),
-            tls: TlsConfig::Off,
-            refresh_secs: 600,
-            rates: PublishRates::default(),
-            publish_pose: false,
-            privacy_mode: false,
-        }
-    }
-
-    // ─── Topic safety ───────────────────────────────────────────────
-
-    #[test]
-    fn topic_segment_safe_normal() {
-        assert!(topic_segment_is_safe("wifi_densepose_aabbcc"));
-        assert!(topic_segment_is_safe("presence"));
-        assert!(topic_segment_is_safe("ESP32-S3.node-7"));
-    }
-
-    #[test]
-    fn topic_segment_rejects_wildcards() {
-        assert!(!topic_segment_is_safe("+"));
-        assert!(!topic_segment_is_safe("evil+segment"));
-        assert!(!topic_segment_is_safe("#"));
-        assert!(!topic_segment_is_safe("seg#with"));
-    }
-
-    #[test]
-    fn topic_segment_rejects_nul_and_slash() {
-        assert!(!topic_segment_is_safe("with\0nul"));
-        assert!(!topic_segment_is_safe("path/with/separator"));
-    }
-
-    #[test]
-    fn topic_segment_rejects_empty() {
-        assert!(!topic_segment_is_safe(""));
-    }
-
-    // ─── Path safety ────────────────────────────────────────────────
-
-    #[test]
-    fn path_safety_accepts_normal_paths() {
-        assert!(path_is_safe(Path::new("/etc/ssl/ca.pem")));
-        assert!(path_is_safe(Path::new("C:\\Users\\test\\client.pem")));
-    }
-
-    #[test]
-    fn path_safety_rejects_nul_and_newline() {
-        assert!(!path_is_safe(Path::new("with\nnewline")));
-        assert!(!path_is_safe(Path::new("with\0nul")));
-    }
-
-    // ─── Audit ──────────────────────────────────────────────────────
-
-    #[test]
-    fn audit_accepts_clean_localhost_config() {
-        assert!(audit(&base_cfg()).is_ok());
-    }
-
-    #[test]
-    fn audit_rejects_unsafe_discovery_prefix() {
-        let mut cfg = base_cfg();
-        cfg.discovery_prefix = "evil prefix with space".into();
-        assert!(audit(&cfg).is_err());
-    }
-
-    #[test]
-    fn audit_rejects_unsafe_client_id() {
-        let mut cfg = base_cfg();
-        cfg.client_id = "client#with#hash".into();
-        assert!(audit(&cfg).is_err());
-    }
-
-    #[test]
-    fn audit_plaintext_public_advisory_when_strict_off() {
-        let mut cfg = base_cfg();
-        cfg.host = "broker.example.com".into();
-        std::env::remove_var("RUVIEW_MQTT_STRICT_TLS");
-        let err = audit(&cfg).unwrap_err();
-        // Advisory — caller decides whether to abort.
-        assert!(!err.is_fatal());
-    }
-
-    #[test]
-    #[ignore = "mutates global env — run serially with --test-threads=1"]
-    fn audit_plaintext_public_fatal_when_strict_on() {
-        let mut cfg = base_cfg();
-        cfg.host = "broker.example.com".into();
-        std::env::set_var("RUVIEW_MQTT_STRICT_TLS", "1");
-        let err = audit(&cfg).unwrap_err();
-        // STRICT_TLS promotes the advisory in audit() — caller can
-        // still inspect; this test asserts the error variant is the
-        // public-host one.
-        assert!(matches!(err, MqttConfigError::PlaintextOnPublicHost { .. }));
-        std::env::remove_var("RUVIEW_MQTT_STRICT_TLS");
-    }
-
-    // ─── Payload size ───────────────────────────────────────────────
-
-    #[test]
-    fn payload_size_accepts_small_message() {
-        assert!(check_payload_size(&[0u8; 1024]).is_ok());
-    }
-
-    #[test]
-    fn payload_size_accepts_at_limit() {
-        assert!(check_payload_size(&vec![0u8; MAX_PUBLISH_BYTES]).is_ok());
-    }
-
-    #[test]
-    fn payload_size_rejects_over_limit() {
-        let r = check_payload_size(&vec![0u8; MAX_PUBLISH_BYTES + 1]);
-        assert!(r.is_err());
-        assert_eq!(r.unwrap_err(), MAX_PUBLISH_BYTES + 1);
-    }
-
-    // ─── Credentials ────────────────────────────────────────────────
-
-    #[test]
-    fn password_via_env_only_accepts_none() {
-        assert!(password_via_env_only(None).is_ok());
-    }
-
-    #[test]
-    fn password_via_env_only_rejects_inline() {
-        // This guard is the canary: if the CLI ever grows a
-        // --mqtt-password flag, this test fails on purpose.
-        assert!(password_via_env_only(Some("secret")).is_err());
-    }
-
-    // ─── Property-based fuzzing (proptest) ──────────────────────────
-    //
-    // The example-based tests above hit the obvious cases. These
-    // property tests hit *every* case clap could pass us: random
-    // Unicode, control chars, embedded NULs at arbitrary offsets,
-    // multi-character wildcards, etc. They catch regressions where a
-    // future refactor accidentally narrows the rejection envelope.
-
-    use proptest::prelude::*;
-
-    proptest! {
-        /// For ANY string that contains `+`, `#`, NUL, or `/`, the
-        /// safety check must return false. No exceptions.
-        #[test]
-        fn topic_segment_rejects_anything_with_wildcards_or_separators(
-            prefix in "[a-zA-Z0-9_-]{0,16}",
-            suffix in "[a-zA-Z0-9_-]{0,16}",
-            offender in proptest::char::any().prop_filter(
-                "must be reserved char", |c| matches!(c, '+' | '#' | '\0' | '/')
-            ),
-        ) {
-            let s = format!("{prefix}{offender}{suffix}");
-            prop_assert!(!topic_segment_is_safe(&s), "must reject {:?}", s);
-        }
-
-        /// For any non-empty string containing ONLY chars from the
-        /// "safe" alphabet (alphanumeric + a few punctuation), the
-        /// check must pass.
-        #[test]
-        fn topic_segment_accepts_safe_alphabet(s in "[a-zA-Z0-9_.\\-]{1,64}") {
-            prop_assert!(topic_segment_is_safe(&s), "must accept {:?}", s);
-        }
-
-        /// Empty strings always rejected, regardless of input source.
-        #[test]
-        fn topic_segment_always_rejects_empty(seed in any::<u64>()) {
-            let _ = seed; // just to randomize the test runner
-            prop_assert!(!topic_segment_is_safe(""));
-        }
-
-        /// Payload-size check: every size ≤ MAX_PUBLISH_BYTES is OK;
-        /// every size > MAX_PUBLISH_BYTES errors with the actual size.
-        #[test]
-        fn payload_size_check_is_monotonic(
-            len in 0usize..=(MAX_PUBLISH_BYTES * 2)
-        ) {
-            // Don't actually allocate MAX_PUBLISH_BYTES * 2 of memory
-            // every test; use a small payload + lie about its length
-            // via slicing semantics. The function only checks .len().
-            let buf = vec![0u8; len];
-            let r = check_payload_size(&buf);
-            if len > MAX_PUBLISH_BYTES {
-                prop_assert!(r.is_err());
-                prop_assert_eq!(r.unwrap_err(), len);
-            } else {
-                prop_assert!(r.is_ok());
-            }
-        }
-
-        /// Path safety: a path containing NUL or newline must be
-        /// rejected, regardless of the rest of the path.
-        #[test]
-        fn path_safety_rejects_nul_or_newline_anywhere(
-            prefix in "[a-zA-Z0-9_/.\\-]{0,32}",
-            suffix in "[a-zA-Z0-9_/.\\-]{0,32}",
-            offender in prop_oneof!["\\u{0000}", "\\n"],
-        ) {
-            let s = format!("{prefix}{offender}{suffix}");
-            let p = std::path::Path::new(&s);
-            prop_assert!(!path_is_safe(p), "must reject path with offender: {:?}", s);
-        }
-    }
-}
@@ -1,540 +0,0 @@
-//! State payload encoding + rate limiting (ADR-115 §3.5 / §3.7).
-//!
-//! This module owns the translation from internal `sensing-server`
-//! broadcast messages (`pose_data`, `edge_vitals`, `sensing_update`)
-//! into the per-entity MQTT state-topic payloads consumed by Home
-//! Assistant. It is gated behind the `mqtt` feature flag at the call
-//! site, but the encoders and rate-limiter logic compile without any
-//! network deps so they're testable under `--no-default-features`.
-//!
-//! Per ADR-115 §3.5, state-topic QoS / retain / cadence is:
-//!
-//! | Topic kind             | QoS | Retain | Cadence                |
-//! |------------------------|-----|--------|------------------------|
-//! | `sensor/*/state`       |  0  |   no   | rate-limited per §3.7  |
-//! | `binary_sensor/*/state`|  1  |  yes   | on change only         |
-//! | `event/*/state`        |  1  |   no   | on event               |
-//! | `*/availability`       |  1  |  yes   | LWT + 30 s heartbeat   |
-//!
-//! Per ADR-115 §3.7, default rates are:
-//!
-//! - presence binary  : on change
-//! - person count     : 1.0 Hz
-//! - vitals (HR / BR) : 0.2 Hz (every 5 s)
-//! - motion level     : 1.0 Hz
-//! - fall events      : on event (no rate limit)
-//! - RSSI             : 0.1 Hz
-//! - pose             : 1.0 Hz when `--mqtt-publish-pose` (off by default)
-//! - zones            : on change
-
-use std::collections::HashMap;
-use std::time::Duration;
-
-use serde::Serialize;
-use serde_json::Value;
-
-use super::config::PublishRates;
-use super::discovery::{DiscoveryComponent, EntityKind};
-
-/// Encoded outbound MQTT publication. `topic` is fully-qualified
-/// (already prefixed with the discovery namespace + node id). `payload`
-/// is the UTF-8 string the broker should publish on that topic.
-#[derive(Debug, Clone, PartialEq, Eq)]
-pub struct StateMessage {
-    pub topic: String,
-    pub payload: String,
-    pub qos: u8,
-    pub retain: bool,
-}
-
-impl StateMessage {
-    pub fn new(topic: String, payload: String, component: DiscoveryComponent, is_change_only: bool) -> Self {
-        let (qos, retain) = match component {
-            DiscoveryComponent::BinarySensor => (1, is_change_only),
-            DiscoveryComponent::Event => (1, false),
-            DiscoveryComponent::Sensor => (0, false),
-        };
-        Self { topic, payload, qos, retain }
-    }
-}
-
-/// Sample-rate-limit decisions, per entity. Tracks the last-emitted
-/// instant per entity and gates further emissions accordingly. Time is
-/// supplied by the caller so the limiter is testable without a clock.
-#[derive(Debug, Default)]
-pub struct RateLimiter {
-    last: HashMap<EntityKind, Duration>,
-}
-
-impl RateLimiter {
-    /// Build a fresh limiter with no per-entity history.
-    pub fn new() -> Self {
-        Self { last: HashMap::new() }
-    }
-
-    /// Decide whether a sample for `entity` is allowed to publish at
-    /// `now`, given the configured `rates`. Returns true to publish
-    /// (and updates last-emitted state); false to drop.
-    pub fn allow(&mut self, entity: EntityKind, now: Duration, rates: &PublishRates) -> bool {
-        let min_gap = match rate_hz_for(entity, rates) {
-            // Zero / negative Hz → emit only on change (caller path).
-            // Here we treat it as "always allow" because the caller is
-            // already gating with change detection.
-            rate if rate <= 0.0 => return true,
-            rate => Duration::from_secs_f64(1.0 / rate),
-        };
-        match self.last.get(&entity) {
-            Some(&prev) if now.saturating_sub(prev) < min_gap => false,
-            _ => {
-                self.last.insert(entity, now);
-                true
-            }
-        }
-    }
-
-    /// Reset all per-entity history. Used after a reconnect so the first
-    /// post-reconnect sample is emitted promptly.
-    pub fn reset(&mut self) {
-        self.last.clear();
-    }
-}
-
-/// Look up the configured Hz for an entity. Numerical entities use the
-/// `rates` struct; non-rate-limited entities (events / change-only)
-/// return 0.0 to short-circuit limiting.
-fn rate_hz_for(entity: EntityKind, rates: &PublishRates) -> f64 {
-    match entity {
-        // Change-only / event entities — caller drives them.
-        EntityKind::Presence
-        | EntityKind::ZoneOccupancy
-        | EntityKind::FallDetected
-        | EntityKind::BedExit
-        | EntityKind::MultiRoomTransition
-        | EntityKind::SomeoneSleeping
-        | EntityKind::PossibleDistress
-        | EntityKind::RoomActive
-        | EntityKind::ElderlyInactivityAnomaly
-        | EntityKind::MeetingInProgress
-        | EntityKind::BathroomOccupied
-        | EntityKind::NoMovement => 0.0,
-        // Rate-limited measurements.
-        EntityKind::PersonCount => rates.count_hz,
-        EntityKind::BreathingRate | EntityKind::HeartRate => rates.vitals_hz,
-        EntityKind::MotionLevel | EntityKind::MotionEnergy => rates.motion_hz,
-        EntityKind::PresenceScore => rates.motion_hz,
-        EntityKind::Rssi => rates.rssi_hz,
-        EntityKind::PoseKeypoints => rates.pose_hz,
-        EntityKind::FallRiskElevated => rates.motion_hz,
-    }
-}
-
-// ─── Per-entity state payload encoders ───────────────────────────────────
-
-/// Inputs the encoder accepts. The caller (publisher loop) projects the
-/// internal server broadcast into this struct so the encoder never
-/// touches the original `serde_json::Value`s directly. Avoids leaking
-/// the server's internal schema into ADR-115's wire format.
-#[derive(Debug, Clone, Default)]
-pub struct VitalsSnapshot {
-    pub node_id: String,
-    pub timestamp_ms: i64,
-    pub presence: bool,
-    pub fall_detected: bool,
-    pub motion: f64,             // 0.0–1.0
-    pub motion_energy: f64,
-    pub presence_score: f64,     // 0.0–1.0
-    pub breathing_rate_bpm: Option<f64>,
-    pub heartrate_bpm: Option<f64>,
-    pub n_persons: u32,
-    pub rssi_dbm: Option<f64>,
-    pub vital_confidence: f64,   // 0.0–1.0
-}
-
-#[derive(Serialize, Debug)]
-struct NumberWithConfidence {
-    bpm: f64,
-    confidence: f64,
-    ts: String,
-}
-
-#[derive(Serialize, Debug)]
-struct MotionStatePayload {
-    level_pct: f64,
-    ts: String,
-}
-
-#[derive(Serialize, Debug)]
-struct EnergyStatePayload {
-    energy: f64,
-    ts: String,
-}
-
-#[derive(Serialize, Debug)]
-struct CountStatePayload {
-    n_persons: u32,
-    ts: String,
-}
-
-#[derive(Serialize, Debug)]
-struct PresenceScorePayload {
-    score_pct: f64,
-    ts: String,
-}
-
-#[derive(Serialize, Debug)]
-struct RssiPayload {
-    dbm: f64,
-    ts: String,
-}
-
-#[derive(Serialize, Debug)]
-struct FallEventPayload {
-    event_type: &'static str,
-    ts: String,
-    #[serde(skip_serializing_if = "Option::is_none")]
-    confidence: Option<f64>,
-}
-
-/// Encoder bundle that knows how to render each entity's state payload
-/// from a [`VitalsSnapshot`]. Operates on an existing [`DiscoveryBuilder`]
-/// so topics are guaranteed to match what was advertised at discovery
-/// time.
-pub struct StateEncoder<'a> {
-    pub builder: &'a super::discovery::DiscoveryBuilder<'a>,
-}
-
-impl<'a> StateEncoder<'a> {
-    /// Build the binary state ("ON"/"OFF") topic + payload for the given
-    /// boolean entity.
-    pub fn boolean(&self, entity: EntityKind, on: bool) -> Option<StateMessage> {
-        if !matches!(entity.component(), DiscoveryComponent::BinarySensor) {
-            return None;
-        }
-        let topic = format!(
-            "{}/{}/wifi_densepose_{}/{}/state",
-            self.builder.discovery_prefix,
-            entity.component().as_str(),
-            self.builder.node_id,
-            entity.topic_slug(),
-        );
-        let payload = if on { "ON" } else { "OFF" }.to_string();
-        Some(StateMessage::new(topic, payload, entity.component(), true))
-    }
-
-    /// Numeric/measurement state encoder.
-    pub fn numeric(&self, entity: EntityKind, snap: &VitalsSnapshot) -> Option<StateMessage> {
-        if !matches!(entity.component(), DiscoveryComponent::Sensor) {
-            return None;
-        }
-        let ts = iso_ts(snap.timestamp_ms);
-        let payload_value: Value = match entity {
-            EntityKind::PersonCount => serde_json::to_value(CountStatePayload {
-                n_persons: snap.n_persons,
-                ts: ts.clone(),
-            }).ok()?,
-            EntityKind::BreathingRate => {
-                let bpm = snap.breathing_rate_bpm?;
-                serde_json::to_value(NumberWithConfidence {
-                    bpm,
-                    confidence: snap.vital_confidence,
-                    ts: ts.clone(),
-                }).ok()?
-            }
-            EntityKind::HeartRate => {
-                let bpm = snap.heartrate_bpm?;
-                serde_json::to_value(NumberWithConfidence {
-                    bpm,
-                    confidence: snap.vital_confidence,
-                    ts: ts.clone(),
-                }).ok()?
-            }
-            EntityKind::MotionLevel => serde_json::to_value(MotionStatePayload {
-                level_pct: (snap.motion.clamp(0.0, 1.0)) * 100.0,
-                ts: ts.clone(),
-            }).ok()?,
-            EntityKind::MotionEnergy => serde_json::to_value(EnergyStatePayload {
-                energy: snap.motion_energy,
-                ts: ts.clone(),
-            }).ok()?,
-            EntityKind::PresenceScore => serde_json::to_value(PresenceScorePayload {
-                score_pct: snap.presence_score.clamp(0.0, 1.0) * 100.0,
-                ts: ts.clone(),
-            }).ok()?,
-            EntityKind::Rssi => {
-                let dbm = snap.rssi_dbm?;
-                serde_json::to_value(RssiPayload { dbm, ts: ts.clone() }).ok()?
-            }
-            _ => return None,
-        };
-        let topic = format!(
-            "{}/{}/wifi_densepose_{}/{}/state",
-            self.builder.discovery_prefix,
-            entity.component().as_str(),
-            self.builder.node_id,
-            entity.topic_slug(),
-        );
-        let payload = serde_json::to_string(&payload_value).ok()?;
-        Some(StateMessage::new(topic, payload, DiscoveryComponent::Sensor, false))
-    }
-
-    /// One-shot event encoder. Used for fall, bed exit, multi-room
-    /// transition.
-    pub fn event(&self, entity: EntityKind, event_type: &'static str, ts_ms: i64, confidence: Option<f64>) -> Option<StateMessage> {
-        if !matches!(entity.component(), DiscoveryComponent::Event) {
-            return None;
-        }
-        let payload_json = FallEventPayload { event_type, ts: iso_ts(ts_ms), confidence };
-        let payload = serde_json::to_string(&payload_json).ok()?;
-        let topic = format!(
-            "{}/{}/wifi_densepose_{}/{}/state",
-            self.builder.discovery_prefix,
-            entity.component().as_str(),
-            self.builder.node_id,
-            entity.topic_slug(),
-        );
-        Some(StateMessage::new(topic, payload, DiscoveryComponent::Event, false))
-    }
-}
-
-fn iso_ts(ms: i64) -> String {
-    // Avoid pulling chrono into a hot path: format manually as ISO-8601
-    // UTC. chrono is already in the crate's deps, but we keep this
-    // encoder allocation-light for benchmark numbers.
-    let secs = ms / 1000;
-    let nanos = ((ms % 1000) * 1_000_000) as u32;
-    let dt = chrono::DateTime::<chrono::Utc>::from_timestamp(secs, nanos)
-        .unwrap_or_else(|| chrono::DateTime::<chrono::Utc>::from_timestamp(0, 0).unwrap());
-    dt.to_rfc3339_opts(chrono::SecondsFormat::Millis, true)
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-    use crate::mqtt::discovery::DiscoveryBuilder;
-
-    fn builder() -> DiscoveryBuilder<'static> {
-        DiscoveryBuilder {
-            discovery_prefix: "homeassistant",
-            node_id: "aabbccddeeff",
-            node_friendly_name: Some("Bedroom"),
-            sw_version: "v0.7.0",
-            model: "ESP32-S3 CSI node",
-            via_device: None,
-        }
-    }
-
-    fn rates() -> PublishRates {
-        PublishRates {
-            vitals_hz: 0.2,
-            motion_hz: 1.0,
-            count_hz: 1.0,
-            rssi_hz: 0.1,
-            pose_hz: 1.0,
-        }
-    }
-
-    fn snap() -> VitalsSnapshot {
-        VitalsSnapshot {
-            node_id: "aabbccddeeff".into(),
-            timestamp_ms: 1779_512_400_000,
-            presence: true,
-            fall_detected: false,
-            motion: 0.35,
-            motion_energy: 1234.5,
-            presence_score: 0.91,
-            breathing_rate_bpm: Some(14.2),
-            heartrate_bpm: Some(68.2),
-            n_persons: 1,
-            rssi_dbm: Some(-52.0),
-            vital_confidence: 0.87,
-        }
-    }
-
-    // ─── Rate limiter ────────────────────────────────────────────────
-
-    #[test]
-    fn rate_limiter_first_sample_always_passes() {
-        let mut rl = RateLimiter::new();
-        assert!(rl.allow(EntityKind::HeartRate, Duration::ZERO, &rates()));
-    }
-
-    #[test]
-    fn rate_limiter_drops_within_gap() {
-        let mut rl = RateLimiter::new();
-        let r = rates();
-        // 0.2 Hz → 5 s gap.
-        assert!(rl.allow(EntityKind::HeartRate, Duration::from_secs(0), &r));
-        assert!(!rl.allow(EntityKind::HeartRate, Duration::from_secs(1), &r));
-        assert!(!rl.allow(EntityKind::HeartRate, Duration::from_secs(4), &r));
-    }
-
-    #[test]
-    fn rate_limiter_allows_after_gap() {
-        let mut rl = RateLimiter::new();
-        let r = rates();
-        assert!(rl.allow(EntityKind::HeartRate, Duration::from_secs(0), &r));
-        // 5 s gap met → allow.
-        assert!(rl.allow(EntityKind::HeartRate, Duration::from_secs(5), &r));
-    }
-
-    #[test]
-    fn rate_limiter_per_entity_independent() {
-        let mut rl = RateLimiter::new();
-        let r = rates();
-        assert!(rl.allow(EntityKind::HeartRate, Duration::from_secs(0), &r));
-        // Different entity, same instant → independent budget.
-        assert!(rl.allow(EntityKind::MotionLevel, Duration::from_secs(0), &r));
-    }
-
-    #[test]
-    fn rate_limiter_change_only_entities_always_allow() {
-        let mut rl = RateLimiter::new();
-        let r = rates();
-        // Presence is change-only → rate=0 → unlimited; caller does change detection.
-        for s in 0..3 {
-            assert!(rl.allow(EntityKind::Presence, Duration::from_secs(s), &r));
-        }
-    }
-
-    #[test]
-    fn rate_limiter_reset_re_enables_immediate_publish() {
-        let mut rl = RateLimiter::new();
-        let r = rates();
-        assert!(rl.allow(EntityKind::HeartRate, Duration::from_secs(0), &r));
-        assert!(!rl.allow(EntityKind::HeartRate, Duration::from_secs(1), &r));
-        rl.reset();
-        // Post-reset: first sample passes.
-        assert!(rl.allow(EntityKind::HeartRate, Duration::from_secs(1), &r));
-    }
-
-    // ─── Boolean / binary_sensor encoder ─────────────────────────────
-
-    #[test]
-    fn boolean_encoder_emits_on_off_payload() {
-        let b = builder();
-        let enc = StateEncoder { builder: &b };
-        let on = enc.boolean(EntityKind::Presence, true).unwrap();
-        assert_eq!(on.payload, "ON");
-        assert_eq!(on.qos, 1);
-        assert!(on.retain, "binary_sensor state must be retained per §3.5");
-        let off = enc.boolean(EntityKind::Presence, false).unwrap();
-        assert_eq!(off.payload, "OFF");
-    }
-
-    #[test]
-    fn boolean_encoder_rejects_non_binary_entities() {
-        let b = builder();
-        let enc = StateEncoder { builder: &b };
-        assert!(enc.boolean(EntityKind::HeartRate, true).is_none());
-        assert!(enc.boolean(EntityKind::FallDetected, true).is_none());
-    }
-
-    #[test]
-    fn boolean_topic_matches_discovery_state_topic() {
-        let b = builder();
-        let enc = StateEncoder { builder: &b };
-        let msg = enc.boolean(EntityKind::Presence, true).unwrap();
-        assert_eq!(
-            msg.topic,
-            "homeassistant/binary_sensor/wifi_densepose_aabbccddeeff/presence/state"
-        );
-    }
-
-    // ─── Numeric / sensor encoder ────────────────────────────────────
-
-    #[test]
-    fn numeric_encoder_emits_bpm_payload_for_heart_rate() {
-        let b = builder();
-        let enc = StateEncoder { builder: &b };
-        let s = snap();
-        let msg = enc.numeric(EntityKind::HeartRate, &s).unwrap();
-        let json: serde_json::Value = serde_json::from_str(&msg.payload).unwrap();
-        assert_eq!(json["bpm"], 68.2);
-        assert_eq!(json["confidence"], 0.87);
-        assert_eq!(msg.qos, 0, "sensor state is QoS 0 per §3.5");
-        assert!(!msg.retain);
-    }
-
-    #[test]
-    fn numeric_encoder_emits_motion_percent_payload() {
-        let b = builder();
-        let enc = StateEncoder { builder: &b };
-        let s = snap();
-        let msg = enc.numeric(EntityKind::MotionLevel, &s).unwrap();
-        let json: serde_json::Value = serde_json::from_str(&msg.payload).unwrap();
-        // 0.35 → 35.0%
-        assert_eq!(json["level_pct"], 35.0);
-    }
-
-    #[test]
-    fn numeric_encoder_returns_none_when_optional_field_missing() {
-        let b = builder();
-        let enc = StateEncoder { builder: &b };
-        let mut s = snap();
-        s.heartrate_bpm = None;
-        assert!(enc.numeric(EntityKind::HeartRate, &s).is_none());
-    }
-
-    #[test]
-    fn numeric_encoder_clamps_out_of_range_motion() {
-        let b = builder();
-        let enc = StateEncoder { builder: &b };
-        let mut s = snap();
-        s.motion = 1.7; // pathological — clamp to 1.0 then ×100.
-        let msg = enc.numeric(EntityKind::MotionLevel, &s).unwrap();
-        let json: serde_json::Value = serde_json::from_str(&msg.payload).unwrap();
-        assert_eq!(json["level_pct"], 100.0);
-    }
-
-    #[test]
-    fn numeric_encoder_rejects_non_sensor_entities() {
-        let b = builder();
-        let enc = StateEncoder { builder: &b };
-        let s = snap();
-        assert!(enc.numeric(EntityKind::Presence, &s).is_none());
-        assert!(enc.numeric(EntityKind::FallDetected, &s).is_none());
-    }
-
-    // ─── Event encoder ───────────────────────────────────────────────
-
-    #[test]
-    fn event_encoder_emits_fall_payload() {
-        let b = builder();
-        let enc = StateEncoder { builder: &b };
-        let msg = enc
-            .event(EntityKind::FallDetected, "fall_detected", 1779_512_400_000, Some(0.87))
-            .unwrap();
-        let json: serde_json::Value = serde_json::from_str(&msg.payload).unwrap();
-        assert_eq!(json["event_type"], "fall_detected");
-        assert_eq!(json["confidence"], 0.87);
-        assert_eq!(msg.qos, 1);
-        assert!(!msg.retain, "events must never be retained — HA would replay old falls");
-    }
-
-    #[test]
-    fn event_encoder_omits_confidence_when_absent() {
-        let b = builder();
-        let enc = StateEncoder { builder: &b };
-        let msg = enc
-            .event(EntityKind::BedExit, "bed_exit", 1779_512_400_000, None)
-            .unwrap();
-        assert!(!msg.payload.contains("confidence"));
-    }
-
-    #[test]
-    fn event_encoder_rejects_non_event_entities() {
-        let b = builder();
-        let enc = StateEncoder { builder: &b };
-        assert!(enc.event(EntityKind::Presence, "x", 0, None).is_none());
-        assert!(enc.event(EntityKind::HeartRate, "x", 0, None).is_none());
-    }
-
-    #[test]
-    fn iso_ts_is_rfc3339_utc_with_millis() {
-        let ts = iso_ts(1779_512_400_000);
-        assert!(ts.ends_with("Z"));
-        assert!(ts.contains("T"));
-        // .000 suffix from `SecondsFormat::Millis`.
-        assert!(ts.contains("."), "want millisecond fraction in: {}", ts);
-    }
-}
@@ -1,130 +0,0 @@
-//! Bathroom-occupied primitive (§3.12.1 row 6).
-//!
-//! `bathroom_occupied = ON` iff `presence == true` AND any zone in
-//! `active_zones` is configured as a bathroom (`cfg.bathroom_zone_tag`,
-//! cross-referenced against `bed_zones`/`active_zones` via the
-//! `--semantic-zones-file` config).
-//!
-//! Per §3.12.3 — explicitly safe in privacy mode because the entity is
-//! a zone-derived boolean, not biometric.
-
-use super::common::{PrimitiveConfig, PrimitiveState, RawSnapshot, Reason};
-
-#[derive(Debug, Default, Clone)]
-pub struct BathroomOccupied {
-    pub active: bool,
-}
-
-impl BathroomOccupied {
-    pub fn new() -> Self {
-        Self::default()
-    }
-
-    pub fn tick(&mut self, snap: &RawSnapshot, cfg: &PrimitiveConfig) -> PrimitiveState {
-        if snap.since_start < cfg.warmup {
-            return PrimitiveState::Idle;
-        }
-        let occupied = snap.presence
-            && snap.active_zones.iter().any(|z| z == &cfg.bathroom_zone_tag);
-        if occupied != self.active {
-            self.active = occupied;
-            let tag = if occupied { "presence=true,zone=bathroom" } else { "exit-bathroom" };
-            return PrimitiveState::Boolean {
-                active: occupied,
-                changed: true,
-                reason: Reason::new(&[tag]),
-            };
-        }
-        PrimitiveState::Idle
-    }
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-    use std::time::Duration;
-
-    fn cfg() -> PrimitiveConfig {
-        PrimitiveConfig::default()
-    }
-
-    #[test]
-    fn fires_when_presence_in_bathroom_zone() {
-        let mut p = BathroomOccupied::new();
-        let s = RawSnapshot {
-            since_start: Duration::from_secs(120),
-            presence: true,
-            active_zones: vec!["bathroom".into()],
-            ..Default::default()
-        };
-        let state = p.tick(&s, &cfg());
-        match state {
-            PrimitiveState::Boolean { active, changed, .. } => {
-                assert!(active && changed);
-            }
-            other => panic!("expected on/change, got {:?}", other),
-        }
-    }
-
-    #[test]
-    fn does_not_fire_for_other_zone() {
-        let mut p = BathroomOccupied::new();
-        let s = RawSnapshot {
-            since_start: Duration::from_secs(120),
-            presence: true,
-            active_zones: vec!["kitchen".into()],
-            ..Default::default()
-        };
-        let state = p.tick(&s, &cfg());
-        assert!(matches!(state, PrimitiveState::Idle));
-    }
-
-    #[test]
-    fn requires_presence_true() {
-        let mut p = BathroomOccupied::new();
-        let s = RawSnapshot {
-            since_start: Duration::from_secs(120),
-            presence: false,
-            active_zones: vec!["bathroom".into()],
-            ..Default::default()
-        };
-        assert!(matches!(p.tick(&s, &cfg()), PrimitiveState::Idle));
-    }
-
-    #[test]
-    fn warmup_blocks_initial_fire() {
-        let mut p = BathroomOccupied::new();
-        let s = RawSnapshot {
-            since_start: Duration::from_secs(30),
-            presence: true,
-            active_zones: vec!["bathroom".into()],
-            ..Default::default()
-        };
-        assert!(matches!(p.tick(&s, &cfg()), PrimitiveState::Idle));
-    }
-
-    #[test]
-    fn emits_off_on_zone_exit() {
-        let mut p = BathroomOccupied::new();
-        let s_in = RawSnapshot {
-            since_start: Duration::from_secs(120),
-            presence: true,
-            active_zones: vec!["bathroom".into()],
-            ..Default::default()
-        };
-        let _ = p.tick(&s_in, &cfg());
-        let s_out = RawSnapshot {
-            since_start: Duration::from_secs(180),
-            presence: true,
-            active_zones: vec!["kitchen".into()],
-            ..Default::default()
-        };
-        let state = p.tick(&s_out, &cfg());
-        match state {
-            PrimitiveState::Boolean { active, changed, .. } => {
-                assert!(!active && changed);
-            }
-            other => panic!("expected off/change, got {:?}", other),
-        }
-    }
-}
@@ -1,147 +0,0 @@
-//! Bed-exit (overnight) primitive (§3.12.1 row 8).
-//!
-//! Edge-triggered event: fires once when "someone sleeping" transitions
-//! to "no presence in any bed-tagged zone" between 22:00 and 06:00
-//! local time.
-//!
-//! Inputs:
-//! - `sleeping` from upstream (the someone_sleeping primitive — wired
-//!   into the bus output so we don't re-derive it here)
-//! - `active_zones` — list of zones currently reporting presence
-//! - `bed_zones` — config list of zones tagged as bed-areas
-//! - `local_seconds_since_midnight` — local-time of day
-//!
-//! For v1 we don't have direct cross-primitive wiring, so we
-//! approximate "sleeping" with: was-presence-in-bed-zone, then
-//! exited-bed-zone. Refine in v2 when the bus exposes `sleeping`
-//! state to other primitives.
-
-use super::common::{in_window, PrimitiveConfig, PrimitiveState, RawSnapshot, Reason};
-
-#[derive(Debug, Default, Clone)]
-pub struct BedExit {
-    in_bed: bool,
-}
-
-impl BedExit {
-    pub fn new() -> Self { Self::default() }
-
-    fn in_bed_zone(snap: &RawSnapshot) -> bool {
-        !snap.bed_zones.is_empty()
-            && snap.active_zones.iter().any(|z| snap.bed_zones.contains(z))
-    }
-
-    pub fn tick(&mut self, snap: &RawSnapshot, cfg: &PrimitiveConfig) -> PrimitiveState {
-        if snap.since_start < cfg.warmup {
-            return PrimitiveState::Idle;
-        }
-        let now_in_bed = snap.presence && Self::in_bed_zone(snap);
-        let was_in_bed = self.in_bed;
-        self.in_bed = now_in_bed;
-
-        if was_in_bed && !now_in_bed {
-            // Only fire during overnight window.
-            let (start, end) = cfg.bed_exit_window;
-            if in_window(snap.local_seconds_since_midnight, start, end) {
-                return PrimitiveState::Event {
-                    event_type: "bed_exit",
-                    reason: Reason::new(&[
-                        "left_bed_zone",
-                        "overnight_window",
-                    ]),
-                };
-            }
-        }
-        PrimitiveState::Idle
-    }
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-    use std::time::Duration;
-
-    fn cfg() -> PrimitiveConfig { PrimitiveConfig::default() }
-
-    fn in_bed_overnight(t: u64) -> RawSnapshot {
-        RawSnapshot {
-            since_start: Duration::from_secs(120 + t),
-            presence: true,
-            active_zones: vec!["bedroom".into()],
-            bed_zones: vec!["bedroom".into()],
-            local_seconds_since_midnight: 2 * 3600, // 02:00
-            ..Default::default()
-        }
-    }
-
-    fn out_of_bed_overnight(t: u64) -> RawSnapshot {
-        RawSnapshot {
-            since_start: Duration::from_secs(120 + t),
-            presence: true,
-            active_zones: vec!["hall".into()],
-            bed_zones: vec!["bedroom".into()],
-            local_seconds_since_midnight: 2 * 3600,
-            ..Default::default()
-        }
-    }
-
-    #[test]
-    fn fires_on_bed_to_non_bed_overnight() {
-        let mut p = BedExit::new();
-        let _ = p.tick(&in_bed_overnight(10), &cfg());
-        let state = p.tick(&out_of_bed_overnight(20), &cfg());
-        assert!(matches!(state, PrimitiveState::Event { event_type: "bed_exit", .. }));
-    }
-
-    #[test]
-    fn does_not_fire_during_day() {
-        let mut p = BedExit::new();
-        let mut s_in = in_bed_overnight(10);
-        s_in.local_seconds_since_midnight = 14 * 3600; // 14:00
-        let _ = p.tick(&s_in, &cfg());
-        let mut s_out = out_of_bed_overnight(20);
-        s_out.local_seconds_since_midnight = 14 * 3600;
-        let state = p.tick(&s_out, &cfg());
-        assert!(matches!(state, PrimitiveState::Idle));
-    }
-
-    #[test]
-    fn does_not_fire_without_prior_in_bed() {
-        let mut p = BedExit::new();
-        // Person never was in bed.
-        let state = p.tick(&out_of_bed_overnight(20), &cfg());
-        assert!(matches!(state, PrimitiveState::Idle));
-    }
-
-    #[test]
-    fn warmup_blocks_initial_transitions() {
-        let mut p = BedExit::new();
-        let mut s_in = in_bed_overnight(0);
-        s_in.since_start = Duration::from_secs(30);
-        assert!(matches!(p.tick(&s_in, &cfg()), PrimitiveState::Idle));
-    }
-
-    #[test]
-    fn does_not_fire_when_bed_zones_unconfigured() {
-        let mut p = BedExit::new();
-        let mut s_in = in_bed_overnight(10);
-        s_in.bed_zones.clear();
-        let _ = p.tick(&s_in, &cfg());
-        let mut s_out = out_of_bed_overnight(20);
-        s_out.bed_zones.clear();
-        let state = p.tick(&s_out, &cfg());
-        assert!(matches!(state, PrimitiveState::Idle));
-    }
-
-    #[test]
-    fn fires_just_after_midnight_window_start() {
-        let mut p = BedExit::new();
-        let mut s_in = in_bed_overnight(10);
-        s_in.local_seconds_since_midnight = 22 * 3600 + 5; // 22:00:05
-        let _ = p.tick(&s_in, &cfg());
-        let mut s_out = out_of_bed_overnight(20);
-        s_out.local_seconds_since_midnight = 22 * 3600 + 10;
-        let state = p.tick(&s_out, &cfg());
-        assert!(matches!(state, PrimitiveState::Event { .. }));
-    }
-}
@@ -1,357 +0,0 @@
-//! Semantic event bus — dispatches one [`RawSnapshot`] to every
-//! primitive in the order they were registered, collects the
-//! [`SemanticEvent`]s emitted, and hands them to MQTT + Matter
-//! publishers via a shared `tokio::broadcast` (wiring lives in the
-//! publisher, see `mqtt::publisher`).
-//!
-//! Per §3.12.6 — adding a new primitive is one file change. The bus
-//! holds a list of trait objects so the call site doesn't grow when we
-//! add primitives in P4.5b.
-
-use super::common::{PrimitiveConfig, PrimitiveState, RawSnapshot};
-#[cfg(test)]
-use super::common::Reason;
-use super::{
-    bathroom::BathroomOccupied,
-    bed_exit::BedExit,
-    distress::PossibleDistress,
-    elderly_anomaly::ElderlyInactivityAnomaly,
-    fall_risk::FallRiskElevated,
-    meeting::MeetingInProgress,
-    multi_room::MultiRoomTransition,
-    no_movement::NoMovement,
-    room_active::RoomActive,
-    sleeping::SomeoneSleeping,
-};
-
-/// Identifier for which primitive produced an event. Used by the
-/// publisher to map onto the matching `EntityKind`.
-#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]
-pub enum SemanticKind {
-    SomeoneSleeping,
-    PossibleDistress,
-    RoomActive,
-    ElderlyAnomaly,
-    Meeting,
-    BathroomOccupied,
-    FallRisk,
-    BedExit,
-    NoMovement,
-    MultiRoom,
-}
-
-/// One event published to MQTT / Matter consumers.
-#[derive(Debug, Clone, PartialEq)]
-pub struct SemanticEvent {
-    pub kind: SemanticKind,
-    pub state: PrimitiveState,
-    pub node_id: String,
-    pub timestamp_ms: i64,
-}
-
-/// Collection of every primitive FSM. Owned by the publisher task.
-pub struct SemanticBus {
-    sleeping: SomeoneSleeping,
-    distress: PossibleDistress,
-    room_active: RoomActive,
-    elderly_anomaly: ElderlyInactivityAnomaly,
-    meeting: MeetingInProgress,
-    bathroom: BathroomOccupied,
-    fall_risk: FallRiskElevated,
-    bed_exit: BedExit,
-    no_movement: NoMovement,
-    multi_room: MultiRoomTransition,
-    pub config: PrimitiveConfig,
-}
-
-impl SemanticBus {
-    pub fn new(config: PrimitiveConfig) -> Self {
-        Self {
-            sleeping: SomeoneSleeping::new(),
-            distress: PossibleDistress::new(),
-            room_active: RoomActive::new(),
-            elderly_anomaly: ElderlyInactivityAnomaly::new(),
-            meeting: MeetingInProgress::new(),
-            bathroom: BathroomOccupied::new(),
-            fall_risk: FallRiskElevated::new(),
-            bed_exit: BedExit::new(),
-            no_movement: NoMovement::new(),
-            multi_room: MultiRoomTransition::new(),
-            config,
-        }
-    }
-
-    /// Run all primitives on one snapshot. Returns only events that
-    /// emit (Idle states are filtered).
-    pub fn tick(&mut self, snap: &RawSnapshot) -> Vec<SemanticEvent> {
-        let pairs: [(SemanticKind, PrimitiveState); 10] = [
-            (SemanticKind::SomeoneSleeping,   self.sleeping.tick(snap, &self.config)),
-            (SemanticKind::PossibleDistress,  self.distress.tick(snap, &self.config)),
-            (SemanticKind::RoomActive,        self.room_active.tick(snap, &self.config)),
-            (SemanticKind::ElderlyAnomaly,    self.elderly_anomaly.tick(snap, &self.config)),
-            (SemanticKind::Meeting,           self.meeting.tick(snap, &self.config)),
-            (SemanticKind::BathroomOccupied,  self.bathroom.tick(snap, &self.config)),
-            (SemanticKind::FallRisk,          self.fall_risk.tick(snap, &self.config)),
-            (SemanticKind::BedExit,           self.bed_exit.tick(snap, &self.config)),
-            (SemanticKind::NoMovement,        self.no_movement.tick(snap, &self.config)),
-            (SemanticKind::MultiRoom,         self.multi_room.tick(snap, &self.config)),
-        ];
-        pairs
-            .into_iter()
-            .filter_map(|(kind, state)| match state {
-                PrimitiveState::Idle => None,
-                _ => Some(SemanticEvent {
-                    kind,
-                    state,
-                    node_id: snap.node_id.clone(),
-                    timestamp_ms: snap.timestamp_ms,
-                }),
-            })
-            .collect()
-    }
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-    use std::time::Duration;
-
-    fn cfg() -> PrimitiveConfig {
-        PrimitiveConfig::default()
-    }
-
-    #[test]
-    fn bus_returns_empty_during_warmup() {
-        let mut bus = SemanticBus::new(cfg());
-        let snap = RawSnapshot {
-            since_start: Duration::from_secs(30),
-            presence: true,
-            motion: 0.5,
-            ..Default::default()
-        };
-        assert!(bus.tick(&snap).is_empty());
-    }
-
-    #[test]
-    fn bus_emits_room_active_on_sustained_motion() {
-        let mut bus = SemanticBus::new(cfg());
-        let snap = RawSnapshot {
-            node_id: "test".into(),
-            since_start: Duration::from_secs(120),
-            timestamp_ms: 1_000,
-            presence: true,
-            motion: 0.4,
-            ..Default::default()
-        };
-        let events = bus.tick(&snap);
-        assert!(events.iter().any(|e| e.kind == SemanticKind::RoomActive));
-    }
-
-    #[test]
-    fn bus_emits_bathroom_when_zone_active() {
-        let mut bus = SemanticBus::new(cfg());
-        let snap = RawSnapshot {
-            node_id: "test".into(),
-            since_start: Duration::from_secs(120),
-            timestamp_ms: 1_000,
-            presence: true,
-            active_zones: vec!["bathroom".into()],
-            ..Default::default()
-        };
-        let events = bus.tick(&snap);
-        assert!(events.iter().any(|e| e.kind == SemanticKind::BathroomOccupied));
-    }
-
-    #[test]
-    fn bus_supports_multiple_simultaneous_primitives() {
-        let mut bus = SemanticBus::new(cfg());
-        let snap = RawSnapshot {
-            node_id: "test".into(),
-            since_start: Duration::from_secs(120),
-            timestamp_ms: 1_000,
-            presence: true,
-            motion: 0.4,
-            active_zones: vec!["bathroom".into()],
-            ..Default::default()
-        };
-        let events = bus.tick(&snap);
-        // Both RoomActive AND BathroomOccupied should fire.
-        let kinds: Vec<_> = events.iter().map(|e| e.kind).collect();
-        assert!(kinds.contains(&SemanticKind::RoomActive));
-        assert!(kinds.contains(&SemanticKind::BathroomOccupied));
-    }
-
-    #[test]
-    fn semantic_event_carries_node_id_and_ts() {
-        let mut bus = SemanticBus::new(cfg());
-        let snap = RawSnapshot {
-            node_id: "aabb".into(),
-            since_start: Duration::from_secs(120),
-            timestamp_ms: 1779_512_400_000,
-            presence: true,
-            active_zones: vec!["bathroom".into()],
-            ..Default::default()
-        };
-        let events = bus.tick(&snap);
-        let bath = events.into_iter().find(|e| e.kind == SemanticKind::BathroomOccupied).unwrap();
-        assert_eq!(bath.node_id, "aabb");
-        assert_eq!(bath.timestamp_ms, 1779_512_400_000);
-    }
-
-    #[test]
-    fn semantic_event_includes_explanation_reason() {
-        // Verify that primitives populate the explanation field —
-        // critical for HA users debugging automations.
-        let mut bus = SemanticBus::new(cfg());
-        let snap = RawSnapshot {
-            node_id: "test".into(),
-            since_start: Duration::from_secs(120),
-            timestamp_ms: 1_000,
-            presence: true,
-            motion: 0.4,
-            ..Default::default()
-        };
-        let events = bus.tick(&snap);
-        let ra = events.into_iter().find(|e| e.kind == SemanticKind::RoomActive).unwrap();
-        if let PrimitiveState::Boolean { reason, .. } = ra.state {
-            assert!(!reason.tags.is_empty(), "reason tags must explain why primitive fired");
-        } else {
-            panic!("expected Boolean state");
-        }
-    }
-
-    #[test]
-    fn _unused_reason_helper_remains_constructible() {
-        // Touch Reason::empty to keep clippy happy when the bus uses
-        // it indirectly via primitives.
-        let _ = Reason::empty();
-    }
-
-    // ─── Property-based invariants ─────────────────────────────────
-    //
-    // The example-based tests above hit the obvious FSM transitions.
-    // These proptest cases throw random snapshot sequences at the bus
-    // and assert no primitive panics, every emitted state carries a
-    // reason payload, and the bus never returns Idle events (Idle is
-    // explicitly filtered).
-
-    use proptest::prelude::*;
-
-    fn arb_snapshot() -> impl Strategy<Value = RawSnapshot> {
-        // proptest only impls Strategy for tuples up to length 12, so
-        // we split into two nested tuples and merge in the prop_map.
-        let core = (
-            0u64..86400,                             // since_start secs
-            0i64..(1u64 << 40) as i64,               // timestamp_ms
-            any::<bool>(),                           // presence
-            any::<bool>(),                           // fall_detected
-            -0.5f64..2.0,                            // motion (incl. out-of-range)
-            -1000.0f64..10000.0,                     // motion_energy
-            proptest::option::of(0.0f64..200.0),     // breathing_rate_bpm
-        );
-        let extra = (
-            proptest::option::of(0.0f64..250.0),     // heart_rate_bpm
-            0u32..10,                                // n_persons
-            proptest::option::of(-120.0f64..0.0),    // rssi_dbm
-            0.0f64..1.0,                             // vital_confidence
-            0u32..86400,                             // local_seconds_since_midnight
-            prop::collection::vec("[a-z]{3,8}", 0..4), // active_zones
-        );
-        (core, extra).prop_map(
-            |((secs, ts, presence, fall, motion, energy, br),
-              (hr, n, rssi, conf, tod, zones))| {
-                RawSnapshot {
-                    node_id: "fuzz".into(),
-                    since_start: std::time::Duration::from_secs(secs),
-                    timestamp_ms: ts,
-                    presence,
-                    fall_detected: fall,
-                    motion,
-                    motion_energy: energy,
-                    breathing_rate_bpm: br,
-                    heart_rate_bpm: hr,
-                    n_persons: n,
-                    rssi_dbm: rssi,
-                    vital_confidence: conf,
-                    active_zones: zones,
-                    bed_zones: vec!["bedroom".into()],
-                    local_seconds_since_midnight: tod,
-                }
-            },
-        )
-    }
-
-    proptest! {
-        /// The bus never panics on any single snapshot, even with
-        /// pathological inputs (motion>1.0, NaN-prone HRs, empty
-        /// zones, etc).
-        #[test]
-        fn bus_tick_never_panics_on_arbitrary_snapshot(snap in arb_snapshot()) {
-            let mut bus = SemanticBus::new(PrimitiveConfig::default());
-            let _events = bus.tick(&snap);
-        }
-
-        /// Every emitted SemanticEvent carries a populated `node_id`
-        /// and the same `timestamp_ms` as the input snapshot. The bus
-        /// MUST NOT manufacture events with empty node IDs.
-        #[test]
-        fn bus_events_carry_node_id_and_ts(snap in arb_snapshot()) {
-            let mut bus = SemanticBus::new(PrimitiveConfig::default());
-            for ev in bus.tick(&snap) {
-                prop_assert!(!ev.node_id.is_empty(), "empty node_id in event {:?}", ev);
-                prop_assert_eq!(ev.timestamp_ms, snap.timestamp_ms);
-            }
-        }
-
-        /// No primitive emits a SemanticState::Boolean without
-        /// populating its `reason` field — the explainability contract
-        /// is enforced at the wire boundary.
-        #[test]
-        fn boolean_states_always_have_reason_tags(snap in arb_snapshot()) {
-            let mut bus = SemanticBus::new(PrimitiveConfig::default());
-            for ev in bus.tick(&snap) {
-                match &ev.state {
-                    PrimitiveState::Boolean { reason, changed, .. } => {
-                        if *changed {
-                            prop_assert!(
-                                !reason.tags.is_empty(),
-                                "changed Boolean must have reason tags: {:?}", ev,
-                            );
-                        }
-                    }
-                    _ => {}
-                }
-            }
-        }
-
-        /// A randomly-sequenced run of snapshots never makes the bus
-        /// produce more events than primitives it owns (currently 10).
-        /// This is the upper-bound invariant — each primitive emits at
-        /// most one event per tick.
-        #[test]
-        fn per_tick_event_count_bounded_by_primitive_count(snap in arb_snapshot()) {
-            let mut bus = SemanticBus::new(PrimitiveConfig::default());
-            let events = bus.tick(&snap);
-            prop_assert!(events.len() <= 10, "too many events: {}", events.len());
-        }
-
-        /// Replaying the same snapshot N times to a fresh bus produces
-        /// monotonic / consistent state (no jitter). This catches FSMs
-        /// that accidentally use uninitialised internal state.
-        #[test]
-        fn replay_same_snapshot_is_deterministic_per_fresh_bus(
-            snap in arb_snapshot(),
-            replays in 1usize..5,
-        ) {
-            let mut last: Option<Vec<SemanticKind>> = None;
-            for _ in 0..replays {
-                let mut bus = SemanticBus::new(PrimitiveConfig::default());
-                let kinds: Vec<_> = bus.tick(&snap).into_iter().map(|e| e.kind).collect();
-                if let Some(prev) = &last {
-                    prop_assert_eq!(prev, &kinds, "non-deterministic tick from fresh bus");
-                }
-                last = Some(kinds);
-            }
-        }
-    }
-}
@@ -1,176 +0,0 @@
-//! Shared types used by every semantic primitive's FSM.
-
-use std::time::Duration;
-
-/// Single observation snapshot the bus dispatches to every primitive.
-///
-/// All fields are derived from the existing broadcast channel —
-/// primitives never touch raw CSI. This struct is a *projection* of
-/// `VitalsSnapshot` + `sensing_update` (zones) so primitives are
-/// schema-stable against future changes to the wire format.
-#[derive(Debug, Clone, Default)]
-pub struct RawSnapshot {
-    pub node_id: String,
-    pub since_start: Duration,
-    pub timestamp_ms: i64,
-    pub presence: bool,
-    pub fall_detected: bool,
-    pub motion: f64,                 // 0.0..=1.0
-    pub motion_energy: f64,
-    pub breathing_rate_bpm: Option<f64>,
-    pub heart_rate_bpm: Option<f64>,
-    pub n_persons: u32,
-    pub rssi_dbm: Option<f64>,
-    pub vital_confidence: f64,
-    /// Zones currently reporting presence (e.g. `["bathroom", "kitchen"]`).
-    pub active_zones: Vec<String>,
-    /// Bed-tagged zones derived from `--semantic-zones-file`. Optional
-    /// per-deployment.
-    pub bed_zones: Vec<String>,
-    /// Local time-of-day in seconds since midnight (0..86400). Used by
-    /// time-gated primitives (bed_exit between 22:00 and 06:00).
-    pub local_seconds_since_midnight: u32,
-}
-
-/// Output of one primitive on one snapshot.
-#[derive(Debug, Clone, PartialEq)]
-pub enum PrimitiveState {
-    /// Boolean state with hysteresis. Includes change flag so the bus
-    /// can decide whether to publish.
-    Boolean { active: bool, changed: bool, reason: Reason },
-    /// Continuous score (e.g. fall risk 0..100). Always publish.
-    Scalar { value: f64, reason: Reason },
-    /// One-shot event (fall, bed exit, multi-room transition).
-    Event { event_type: &'static str, reason: Reason },
-    /// No output this tick.
-    Idle,
-}
-
-/// Human-readable explanation for HA users debugging an automation.
-#[derive(Debug, Clone, PartialEq)]
-pub struct Reason {
-    /// Short tags suitable for `json_attributes` (e.g.
-    /// `["motion<5%", "br=12bpm", "presence=true"]`).
-    pub tags: Vec<String>,
-}
-
-impl Reason {
-    pub fn new(tags: &[&str]) -> Self {
-        Self { tags: tags.iter().map(|s| s.to_string()).collect() }
-    }
-
-    pub fn empty() -> Self {
-        Self { tags: Vec::new() }
-    }
-}
-
-/// Per-deployment knobs. Loaded once at startup from
-/// `--semantic-thresholds-file` if supplied, otherwise from defaults
-/// committed to `docs/integrations/semantic-primitives-metrics.md`.
-#[derive(Debug, Clone)]
-pub struct PrimitiveConfig {
-    /// First N seconds after process start during which no primitive
-    /// fires (sensors settling, per §3.12.4).
-    pub warmup: Duration,
-    /// "Someone sleeping": min uninterrupted low-motion dwell.
-    pub sleep_dwell: Duration,
-    /// "Possible distress": HR multiple over rolling baseline.
-    pub distress_hr_multiple: f64,
-    /// "Possible distress": dwell at elevated HR before firing.
-    pub distress_dwell: Duration,
-    /// "Room active": motion threshold (0..1) sustained for the window.
-    pub room_active_motion_threshold: f64,
-    pub room_active_window: Duration,
-    pub room_active_exit_idle: Duration,
-    /// "Elderly inactivity anomaly": multiple over rolling baseline.
-    pub elderly_anomaly_multiple: f64,
-    /// "Meeting in progress": min persons + min dwell.
-    pub meeting_min_persons: u32,
-    pub meeting_dwell: Duration,
-    /// "Bathroom occupied": zone tag to match.
-    pub bathroom_zone_tag: String,
-    /// "Fall risk": threshold for cross event firing.
-    pub fall_risk_event_threshold: f64,
-    /// "Bed exit": time window during which bed exits trigger (start, end).
-    pub bed_exit_window: (u32, u32), // seconds-of-day; wraps midnight
-    /// "No movement (safety)": dwell.
-    pub no_movement_dwell: Duration,
-    /// "Multi-room transition": max gap between zone exit + new zone enter.
-    pub multi_room_gap: Duration,
-}
-
-impl Default for PrimitiveConfig {
-    fn default() -> Self {
-        Self {
-            warmup: Duration::from_secs(60),
-            sleep_dwell: Duration::from_secs(300),
-            distress_hr_multiple: 1.5,
-            distress_dwell: Duration::from_secs(60),
-            room_active_motion_threshold: 0.10,
-            room_active_window: Duration::from_secs(30),
-            room_active_exit_idle: Duration::from_secs(600),
-            elderly_anomaly_multiple: 2.0,
-            meeting_min_persons: 2,
-            meeting_dwell: Duration::from_secs(600),
-            bathroom_zone_tag: "bathroom".into(),
-            fall_risk_event_threshold: 70.0,
-            bed_exit_window: (22 * 3600, 6 * 3600), // 22:00–06:00 local
-            no_movement_dwell: Duration::from_secs(30 * 60),
-            multi_room_gap: Duration::from_secs(10),
-        }
-    }
-}
-
-/// True iff `(start, end)` describes a wrap-around window (start > end,
-/// e.g. 22:00–06:00). Used to test bed-exit time gating.
-pub fn in_window(now: u32, start: u32, end: u32) -> bool {
-    if start <= end {
-        now >= start && now < end
-    } else {
-        // Wraps midnight.
-        now >= start || now < end
-    }
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-
-    #[test]
-    fn in_window_simple_range() {
-        assert!(in_window(3 * 3600, 1 * 3600, 5 * 3600));
-        assert!(!in_window(10 * 3600, 1 * 3600, 5 * 3600));
-    }
-
-    #[test]
-    fn in_window_wrap_around_midnight() {
-        // 22:00–06:00.
-        assert!(in_window(23 * 3600, 22 * 3600, 6 * 3600));   // late evening
-        assert!(in_window(2 * 3600, 22 * 3600, 6 * 3600));    // early morning
-        assert!(!in_window(12 * 3600, 22 * 3600, 6 * 3600));  // noon — outside
-        assert!(in_window(0, 22 * 3600, 6 * 3600));           // midnight tick
-    }
-
-    #[test]
-    fn primitive_config_defaults_match_adr() {
-        let c = PrimitiveConfig::default();
-        // Spot-check key thresholds match §3.12 catalog.
-        assert_eq!(c.warmup, Duration::from_secs(60));
-        assert_eq!(c.sleep_dwell, Duration::from_secs(300));
-        assert!((c.distress_hr_multiple - 1.5).abs() < 1e-9);
-        assert_eq!(c.meeting_min_persons, 2);
-        assert_eq!(c.bed_exit_window, (22 * 3600, 6 * 3600));
-    }
-
-    #[test]
-    fn reason_empty_has_no_tags() {
-        let r = Reason::empty();
-        assert!(r.tags.is_empty());
-    }
-
-    #[test]
-    fn reason_new_collects_string_owned() {
-        let r = Reason::new(&["motion<5%", "br=12bpm"]);
-        assert_eq!(r.tags, vec!["motion<5%".to_string(), "br=12bpm".to_string()]);
-    }
-}
@@ -1,284 +0,0 @@
-//! Possible-distress primitive (§3.12.1 row 2).
-//!
-//! Enter `possible_distress = ON` when ALL of the following hold for
-//! `distress_dwell` (default 60 s):
-//! - sustained HR > `distress_hr_multiple` × rolling baseline (default 1.5×)
-//! - motion is agitated (motion > 0.20)
-//! - no fall recently
-//!
-//! Exit when HR returns to baseline OR motion calms below 0.10 for 30 s.
-//! After exit there's a 5-min latch suppressing re-fire (refractory).
-//!
-//! Baseline is an exponential moving average over a long window so a
-//! single high-HR sample doesn't shift the reference fast. Window is
-//! parametric so deployments can tune for resident demographics.
-
-use std::time::Duration;
-
-use super::common::{PrimitiveConfig, PrimitiveState, RawSnapshot, Reason};
-
-const REFRACTORY: Duration = Duration::from_secs(300);
-
-/// Exponential moving average over heart-rate samples.
-#[derive(Debug, Default, Clone)]
-struct Ewma {
-    value: Option<f64>,
-    alpha: f64, // 0..1, smaller = longer memory
-}
-
-impl Ewma {
-    fn new(alpha: f64) -> Self { Self { value: None, alpha } }
-    fn update(&mut self, x: f64) {
-        self.value = Some(match self.value {
-            Some(v) => self.alpha * x + (1.0 - self.alpha) * v,
-            None => x,
-        });
-    }
-}
-
-#[derive(Debug, Clone)]
-pub struct PossibleDistress {
-    pub active: bool,
-    baseline: Ewma,
-    enter_since: Option<Duration>,
-    last_exit: Option<Duration>,
-}
-
-impl Default for PossibleDistress {
-    fn default() -> Self {
-        Self {
-            active: false,
-            baseline: Ewma::new(0.01), // ~100-sample memory at 1 Hz
-            enter_since: None,
-            last_exit: None,
-        }
-    }
-}
-
-impl PossibleDistress {
-    pub fn new() -> Self { Self::default() }
-
-    pub fn tick(&mut self, snap: &RawSnapshot, cfg: &PrimitiveConfig) -> PrimitiveState {
-        if snap.since_start < cfg.warmup {
-            // Still seed the baseline even in warmup so we don't fire
-            // immediately after the warmup ends with a cold baseline.
-            if let Some(hr) = snap.heart_rate_bpm {
-                if snap.vital_confidence >= 0.5 { self.baseline.update(hr); }
-            }
-            return PrimitiveState::Idle;
-        }
-
-        let hr = match snap.heart_rate_bpm {
-            Some(v) if snap.vital_confidence >= 0.5 => v,
-            _ => return PrimitiveState::Idle,
-        };
-        let baseline = match self.baseline.value {
-            Some(b) if b > 0.0 => b,
-            _ => {
-                self.baseline.update(hr);
-                return PrimitiveState::Idle;
-            }
-        };
-
-        let hr_high = hr / baseline >= cfg.distress_hr_multiple;
-        let agitated = snap.motion > 0.20;
-        let no_fall = !snap.fall_detected;
-
-        // Only update baseline when NOT active AND NOT in a candidate
-        // distress event (low motion, HR near baseline). This keeps the
-        // baseline anchored to resting HR rather than chasing elevated
-        // samples — without this guard a sustained elevated HR drifts
-        // the baseline up before the dwell completes.
-        if !self.active && !agitated && !hr_high {
-            self.baseline.update(hr);
-        }
-
-        if !self.active {
-            // Refractory period after recent exit.
-            if let Some(t) = self.last_exit {
-                if snap.since_start.saturating_sub(t) < REFRACTORY {
-                    return PrimitiveState::Idle;
-                }
-            }
-            if hr_high && agitated && no_fall {
-                let start = *self.enter_since.get_or_insert(snap.since_start);
-                if snap.since_start.saturating_sub(start) >= cfg.distress_dwell {
-                    self.active = true;
-                    return PrimitiveState::Boolean {
-                        active: true,
-                        changed: true,
-                        reason: Reason::new(&[
-                            "hr_high>=1.5x",
-                            "motion>20%",
-                            "no_fall",
-                            "dwell>=60s",
-                        ]),
-                    };
-                }
-            } else {
-                self.enter_since = None;
-            }
-            PrimitiveState::Idle
-        } else {
-            // Active — check exit.
-            let calm = snap.motion < 0.10 && hr / baseline < 1.2;
-            if calm {
-                self.active = false;
-                self.enter_since = None;
-                self.last_exit = Some(snap.since_start);
-                return PrimitiveState::Boolean {
-                    active: false,
-                    changed: true,
-                    reason: Reason::new(&["motion<10%", "hr_back_to_baseline"]),
-                };
-            }
-            PrimitiveState::Idle
-        }
-    }
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-
-    fn cfg() -> PrimitiveConfig { PrimitiveConfig::default() }
-
-    fn snap(t_secs: u64, hr: Option<f64>, motion: f64) -> RawSnapshot {
-        RawSnapshot {
-            since_start: Duration::from_secs(t_secs),
-            presence: true,
-            motion,
-            heart_rate_bpm: hr,
-            vital_confidence: 0.8,
-            ..Default::default()
-        }
-    }
-
-    fn seed_baseline(p: &mut PossibleDistress, hr: f64) {
-        // Warmup samples seed the EWMA baseline.
-        for t in 0..60 {
-            let _ = p.tick(&snap(t, Some(hr), 0.0), &cfg());
-        }
-    }
-
-    #[test]
-    fn does_not_fire_with_normal_hr() {
-        let mut p = PossibleDistress::new();
-        seed_baseline(&mut p, 70.0);
-        // Normal HR + low motion → no fire.
-        for t in 60..200 {
-            let s = snap(t, Some(72.0), 0.05);
-            assert!(matches!(p.tick(&s, &cfg()), PrimitiveState::Idle));
-        }
-        assert!(!p.active);
-    }
-
-    #[test]
-    fn fires_on_sustained_elevated_hr_with_motion() {
-        let mut p = PossibleDistress::new();
-        seed_baseline(&mut p, 70.0);
-        // Elevated HR (>1.5×70=105) + agitated motion, sustained 60s.
-        let mut fired = false;
-        for t in 60..200 {
-            let s = snap(t, Some(120.0), 0.35);
-            if matches!(p.tick(&s, &cfg()), PrimitiveState::Boolean { active: true, .. }) {
-                fired = true;
-                break;
-            }
-        }
-        assert!(fired, "primitive must fire on sustained elevated HR + motion");
-        assert!(p.active);
-    }
-
-    #[test]
-    fn does_not_fire_during_fall() {
-        let mut p = PossibleDistress::new();
-        seed_baseline(&mut p, 70.0);
-        for t in 60..200 {
-            let mut s = snap(t, Some(120.0), 0.35);
-            s.fall_detected = true;
-            assert!(matches!(p.tick(&s, &cfg()), PrimitiveState::Idle));
-        }
-        assert!(!p.active);
-    }
-
-    #[test]
-    fn exits_when_motion_calms_and_hr_normalises() {
-        let mut p = PossibleDistress::new();
-        seed_baseline(&mut p, 70.0);
-        // Trigger.
-        for t in 60..200 {
-            let s = snap(t, Some(120.0), 0.35);
-            let _ = p.tick(&s, &cfg());
-        }
-        assert!(p.active);
-        // Calm sample.
-        let s_calm = snap(220, Some(75.0), 0.05);
-        let state = p.tick(&s_calm, &cfg());
-        match state {
-            PrimitiveState::Boolean { active, changed, .. } => {
-                assert!(!active && changed);
-            }
-            other => panic!("expected off/change, got {:?}", other),
-        }
-        assert!(!p.active);
-    }
-
-    #[test]
-    fn refractory_blocks_immediate_refire() {
-        let mut p = PossibleDistress::new();
-        seed_baseline(&mut p, 70.0);
-        for t in 60..200 {
-            let _ = p.tick(&snap(t, Some(120.0), 0.35), &cfg());
-        }
-        // Calm to exit.
-        let _ = p.tick(&snap(220, Some(75.0), 0.05), &cfg());
-        assert!(!p.active);
-        // Try to re-fire 1 min after exit (refractory is 5 min).
-        for t in 280..400 {
-            let s = snap(t, Some(120.0), 0.35);
-            assert!(matches!(p.tick(&s, &cfg()), PrimitiveState::Idle));
-        }
-        assert!(!p.active);
-    }
-
-    #[test]
-    fn refire_allowed_after_refractory() {
-        let mut p = PossibleDistress::new();
-        seed_baseline(&mut p, 70.0);
-        for t in 60..200 {
-            let _ = p.tick(&snap(t, Some(120.0), 0.35), &cfg());
-        }
-        let _ = p.tick(&snap(220, Some(75.0), 0.05), &cfg());
-        // 6 min later — past refractory.
-        let mut fired = false;
-        for t in 600..800 {
-            let s = snap(t, Some(120.0), 0.35);
-            if matches!(p.tick(&s, &cfg()), PrimitiveState::Boolean { active: true, .. }) {
-                fired = true;
-                break;
-            }
-        }
-        assert!(fired);
-    }
-
-    #[test]
-    fn baseline_does_not_track_during_active() {
-        let mut p = PossibleDistress::new();
-        seed_baseline(&mut p, 70.0);
-        let initial = p.baseline.value.unwrap();
-        for t in 60..200 {
-            let _ = p.tick(&snap(t, Some(120.0), 0.35), &cfg());
-        }
-        assert!(p.active);
-        // Many more elevated samples — baseline must not climb.
-        for t in 200..400 {
-            let _ = p.tick(&snap(t, Some(130.0), 0.35), &cfg());
-        }
-        let after = p.baseline.value.unwrap();
-        // Baseline may move a little during pre-trigger window, but it
-        // must not chase the 130-bpm samples during the active state.
-        assert!(after < 100.0, "baseline {} drifted toward distress HR", after);
-        assert!(initial < 100.0);
-    }
-}
@@ -1,173 +0,0 @@
-//! Elderly inactivity anomaly primitive (§3.12.1 row 4).
-//!
-//! Enter `elderly_inactivity_anomaly = ON` when current inactivity
-//! duration exceeds `elderly_anomaly_multiple` × rolling median of
-//! daily idle durations (default 2×).
-//!
-//! v1 implements this with a simplified rolling-quantile: the longest
-//! idle stretch ever seen since process start, capped by the
-//! `--semantic-baseline-window-days` flag (default 14 — but we don't
-//! persist across restarts in v1, so the window is effectively
-//! "uptime"). Per-resident persistent baselines arrive in v2 with the
-//! `SemanticState` log-replay path.
-//!
-//! Refractory: max 1 firing per 24 h to prevent alert spam.
-
-use std::time::Duration;
-
-use super::common::{PrimitiveConfig, PrimitiveState, RawSnapshot, Reason};
-
-const REFRACTORY: Duration = Duration::from_secs(24 * 3600);
-
-#[derive(Debug, Default, Clone)]
-pub struct ElderlyInactivityAnomaly {
-    pub active: bool,
-    idle_since: Option<Duration>,
-    /// Longest idle stretch observed so far. The "baseline" the multiplier
-    /// is applied against. Seeded to a sensible floor so the first day
-    /// doesn't fire spuriously.
-    longest_idle: Duration,
-    last_fire: Option<Duration>,
-}
-
-const BASELINE_FLOOR: Duration = Duration::from_secs(30 * 60); // 30 min
-
-impl ElderlyInactivityAnomaly {
-    pub fn new() -> Self {
-        Self { longest_idle: BASELINE_FLOOR, ..Default::default() }
-    }
-
-    pub fn tick(&mut self, snap: &RawSnapshot, cfg: &PrimitiveConfig) -> PrimitiveState {
-        if snap.since_start < cfg.warmup {
-            return PrimitiveState::Idle;
-        }
-        let still = snap.presence && snap.motion < 0.02;
-        if !still {
-            // Update baseline if we just emerged from a long stretch.
-            if let Some(start) = self.idle_since {
-                let dur = snap.since_start.saturating_sub(start);
-                if dur > self.longest_idle { self.longest_idle = dur; }
-            }
-            self.idle_since = None;
-            if self.active {
-                self.active = false;
-                return PrimitiveState::Boolean {
-                    active: false,
-                    changed: true,
-                    reason: Reason::new(&["motion_resumed"]),
-                };
-            }
-            return PrimitiveState::Idle;
-        }
-
-        let start = *self.idle_since.get_or_insert(snap.since_start);
-        let dur = snap.since_start.saturating_sub(start);
-        let threshold_secs = (self.longest_idle.as_secs_f64()) * cfg.elderly_anomaly_multiple;
-        let threshold = Duration::from_secs_f64(threshold_secs);
-
-        if !self.active && dur >= threshold {
-            // Refractory.
-            if let Some(t) = self.last_fire {
-                if snap.since_start.saturating_sub(t) < REFRACTORY {
-                    return PrimitiveState::Idle;
-                }
-            }
-            self.active = true;
-            self.last_fire = Some(snap.since_start);
-            return PrimitiveState::Boolean {
-                active: true,
-                changed: true,
-                reason: Reason::new(&[
-                    "presence=true",
-                    "motion<2%",
-                    "idle>2x_baseline",
-                ]),
-            };
-        }
-        PrimitiveState::Idle
-    }
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-
-    fn cfg() -> PrimitiveConfig { PrimitiveConfig::default() }
-
-    fn still_snap(t_secs: u64) -> RawSnapshot {
-        RawSnapshot {
-            since_start: Duration::from_secs(t_secs),
-            presence: true,
-            motion: 0.01,
-            ..Default::default()
-        }
-    }
-
-    #[test]
-    fn fires_when_idle_exceeds_2x_baseline() {
-        let mut p = ElderlyInactivityAnomaly::new();
-        // baseline floor is 30 min → threshold = 60 min idle.
-        let _ = p.tick(&still_snap(100), &cfg());
-        let state = p.tick(&still_snap(100 + 61 * 60), &cfg());
-        match state {
-            PrimitiveState::Boolean { active, changed, .. } => {
-                assert!(active && changed);
-            }
-            other => panic!("expected on, got {:?}", other),
-        }
-    }
-
-    #[test]
-    fn does_not_fire_before_threshold() {
-        let mut p = ElderlyInactivityAnomaly::new();
-        let _ = p.tick(&still_snap(100), &cfg());
-        // 50 min idle, threshold is 60.
-        let state = p.tick(&still_snap(100 + 50 * 60), &cfg());
-        assert!(matches!(state, PrimitiveState::Idle));
-    }
-
-    #[test]
-    fn motion_clears_active_state() {
-        let mut p = ElderlyInactivityAnomaly::new();
-        let _ = p.tick(&still_snap(100), &cfg());
-        let _ = p.tick(&still_snap(100 + 61 * 60), &cfg());
-        assert!(p.active);
-        // Motion.
-        let mut s = still_snap(100 + 61 * 60 + 1);
-        s.motion = 0.10;
-        let state = p.tick(&s, &cfg());
-        match state {
-            PrimitiveState::Boolean { active, .. } => assert!(!active),
-            other => panic!("expected off, got {:?}", other),
-        }
-    }
-
-    #[test]
-    fn baseline_grows_to_observed_max() {
-        let mut p = ElderlyInactivityAnomaly::new();
-        // Establish a 90-min idle stretch — baseline should grow.
-        let _ = p.tick(&still_snap(100), &cfg());
-        let _ = p.tick(&still_snap(100 + 90 * 60), &cfg());
-        // p is now active. Force exit.
-        let mut s = still_snap(100 + 90 * 60 + 1);
-        s.motion = 0.20;
-        let _ = p.tick(&s, &cfg());
-        // Baseline updated.
-        assert!(p.longest_idle >= Duration::from_secs(89 * 60));
-    }
-
-    #[test]
-    fn refractory_prevents_repeat_alerts() {
-        let mut p = ElderlyInactivityAnomaly::new();
-        let _ = p.tick(&still_snap(100), &cfg());
-        let _ = p.tick(&still_snap(100 + 61 * 60), &cfg());
-        // Motion clears.
-        let mut s = still_snap(100 + 61 * 60 + 1);
-        s.motion = 0.20;
-        let _ = p.tick(&s, &cfg());
-        // 5 hours later, another 1h+ idle — should NOT fire (still <24h).
-        let _ = p.tick(&still_snap(100 + 5 * 3600), &cfg());
-        let state = p.tick(&still_snap(100 + 5 * 3600 + 70 * 60), &cfg());
-        assert!(matches!(state, PrimitiveState::Idle));
-    }
-}
@@ -1,214 +0,0 @@
-//! Fall-risk-elevated primitive (§3.12.1 row 7).
-//!
-//! Continuous 0..100 score derived from gait instability + near-fall
-//! frequency over a rolling 24 h window. Emits a Scalar state every
-//! tick when active; emits a one-shot event when the score crosses
-//! `fall_risk_event_threshold` (default 70).
-//!
-//! v1 simplification: score = clamp(100, 10 * near_falls_24h +
-//! 50 * recent_motion_variance), where:
-//!   - near_falls_24h: count of `fall_detected` events in the trailing
-//!     24 h window (we don't expose near-falls separately in the
-//!     broadcast yet, so we approximate with confirmed falls)
-//!   - recent_motion_variance: variance of motion over the trailing
-//!     60 s.
-//!
-//! v2 will use the gait-instability score directly once it lands in
-//! the pose tracker (see ADR-027 §A4).
-
-use std::collections::VecDeque;
-use std::time::Duration;
-
-use super::common::{PrimitiveConfig, PrimitiveState, RawSnapshot, Reason};
-
-const RECENT_MOTION_WINDOW: Duration = Duration::from_secs(60);
-const FALL_HISTORY_WINDOW: Duration = Duration::from_secs(24 * 3600);
-
-#[derive(Debug, Default, Clone)]
-pub struct FallRiskElevated {
-    pub last_score: f64,
-    /// (timestamp, motion).
-    motion_history: VecDeque<(Duration, f64)>,
-    /// Timestamps of fall_detected=true events.
-    fall_history: VecDeque<Duration>,
-    /// True iff last emit was above the configured event threshold.
-    above_threshold: bool,
-}
-
-impl FallRiskElevated {
-    pub fn new() -> Self { Self::default() }
-
-    fn variance(samples: &VecDeque<(Duration, f64)>) -> f64 {
-        if samples.is_empty() { return 0.0; }
-        let mean = samples.iter().map(|(_, m)| m).sum::<f64>() / samples.len() as f64;
-        let v = samples
-            .iter()
-            .map(|(_, m)| (m - mean).powi(2))
-            .sum::<f64>()
-            / samples.len() as f64;
-        v
-    }
-
-    pub fn tick(&mut self, snap: &RawSnapshot, cfg: &PrimitiveConfig) -> PrimitiveState {
-        if snap.since_start < cfg.warmup {
-            return PrimitiveState::Idle;
-        }
-
-        // Maintain rolling motion history.
-        self.motion_history.push_back((snap.since_start, snap.motion));
-        while let Some(&(t, _)) = self.motion_history.front() {
-            if snap.since_start.saturating_sub(t) > RECENT_MOTION_WINDOW {
-                self.motion_history.pop_front();
-            } else {
-                break;
-            }
-        }
-
-        // Maintain rolling fall history.
-        if snap.fall_detected {
-            self.fall_history.push_back(snap.since_start);
-        }
-        while let Some(&t) = self.fall_history.front() {
-            if snap.since_start.saturating_sub(t) > FALL_HISTORY_WINDOW {
-                self.fall_history.pop_front();
-            } else {
-                break;
-            }
-        }
-
-        let near_falls = self.fall_history.len() as f64;
-        let var = Self::variance(&self.motion_history);
-        let score = (10.0 * near_falls + 50.0 * var).clamp(0.0, 100.0);
-        self.last_score = score;
-
-        // Event on crossing threshold upward.
-        let was_above = self.above_threshold;
-        self.above_threshold = score >= cfg.fall_risk_event_threshold;
-        if !was_above && self.above_threshold {
-            return PrimitiveState::Event {
-                event_type: "fall_risk_elevated",
-                reason: Reason::new(&["score>=70", "crossed_threshold"]),
-            };
-        }
-        PrimitiveState::Scalar {
-            value: score,
-            reason: Reason::new(&["score_published"]),
-        }
-    }
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-
-    fn cfg() -> PrimitiveConfig { PrimitiveConfig::default() }
-
-    #[test]
-    fn warmup_blocks_score() {
-        let mut p = FallRiskElevated::new();
-        let s = RawSnapshot {
-            since_start: Duration::from_secs(30),
-            motion: 0.5,
-            ..Default::default()
-        };
-        assert!(matches!(p.tick(&s, &cfg()), PrimitiveState::Idle));
-    }
-
-    #[test]
-    fn emits_scalar_when_active() {
-        let mut p = FallRiskElevated::new();
-        let s = RawSnapshot {
-            since_start: Duration::from_secs(120),
-            motion: 0.10,
-            ..Default::default()
-        };
-        let state = p.tick(&s, &cfg());
-        assert!(matches!(state, PrimitiveState::Scalar { .. }));
-    }
-
-    #[test]
-    fn score_grows_with_falls() {
-        let mut p = FallRiskElevated::new();
-        // Establish baseline with no falls.
-        let _ = p.tick(&RawSnapshot {
-            since_start: Duration::from_secs(120),
-            motion: 0.05,
-            ..Default::default()
-        }, &cfg());
-        let base_score = p.last_score;
-        // Add some falls.
-        for t in 121..125 {
-            let s = RawSnapshot {
-                since_start: Duration::from_secs(t),
-                motion: 0.05,
-                fall_detected: true,
-                ..Default::default()
-            };
-            let _ = p.tick(&s, &cfg());
-        }
-        // Score should be higher than baseline.
-        assert!(p.last_score > base_score);
-    }
-
-    #[test]
-    fn emits_event_when_crossing_threshold() {
-        let mut p = FallRiskElevated::new();
-        // Inject 7 falls → score ≥ 70.
-        let mut last_state = PrimitiveState::Idle;
-        for t in 120..127 {
-            let s = RawSnapshot {
-                since_start: Duration::from_secs(t),
-                motion: 0.05,
-                fall_detected: true,
-                ..Default::default()
-            };
-            last_state = p.tick(&s, &cfg());
-        }
-        // One of those ticks must have emitted the crossing event.
-        // Since we only catch the last call's return, check the score.
-        assert!(p.above_threshold, "should be above threshold");
-        // The crossing-event return is on the first tick that crosses.
-        // Verify the type via a fresh sequence.
-        let mut p2 = FallRiskElevated::new();
-        let _ = p2.tick(&RawSnapshot {
-            since_start: Duration::from_secs(120),
-            motion: 0.05,
-            ..Default::default()
-        }, &cfg());
-        let mut saw_event = false;
-        for t in 121..130 {
-            let s = RawSnapshot {
-                since_start: Duration::from_secs(t),
-                motion: 0.05,
-                fall_detected: true,
-                ..Default::default()
-            };
-            if matches!(p2.tick(&s, &cfg()), PrimitiveState::Event { .. }) {
-                saw_event = true;
-                break;
-            }
-        }
-        assert!(saw_event, "should have emitted crossing event");
-        // Suppress unused warning.
-        let _ = last_state;
-    }
-
-    #[test]
-    fn fall_history_evicts_after_24h() {
-        let mut p = FallRiskElevated::new();
-        // Inject fall.
-        let _ = p.tick(&RawSnapshot {
-            since_start: Duration::from_secs(120),
-            motion: 0.05,
-            fall_detected: true,
-            ..Default::default()
-        }, &cfg());
-        // 25 hours later — the fall should evict from the window.
-        let _ = p.tick(&RawSnapshot {
-            since_start: Duration::from_secs(120 + 25 * 3600),
-            motion: 0.05,
-            ..Default::default()
-        }, &cfg());
-        assert!(p.fall_history.is_empty(), "fall must evict after 24h");
-    }
-}
@@ -1,141 +0,0 @@
-//! Meeting-in-progress primitive (§3.12.1 row 5).
-//!
-//! Enter `meeting_in_progress = ON` when person_count ≥ 2 AND motion
-//! is sustained low-amplitude (people sitting still while talking) for
-//! ≥`meeting_dwell` (default 10 min).
-//!
-//! Exit when person_count < 2 for ≥2 min.
-
-use std::time::Duration;
-
-use super::common::{PrimitiveConfig, PrimitiveState, RawSnapshot, Reason};
-
-const EXIT_DWELL: Duration = Duration::from_secs(120);
-
-#[derive(Debug, Default, Clone)]
-pub struct MeetingInProgress {
-    pub active: bool,
-    enter_since: Option<Duration>,
-    exit_since: Option<Duration>,
-}
-
-impl MeetingInProgress {
-    pub fn new() -> Self { Self::default() }
-
-    pub fn tick(&mut self, snap: &RawSnapshot, cfg: &PrimitiveConfig) -> PrimitiveState {
-        if snap.since_start < cfg.warmup {
-            return PrimitiveState::Idle;
-        }
-        // Low-amplitude motion: people seated/quiet but present.
-        let suitable_motion = (0.01..0.20).contains(&snap.motion);
-        let enough_persons = snap.n_persons >= cfg.meeting_min_persons;
-
-        if !self.active {
-            if enough_persons && suitable_motion {
-                let start = *self.enter_since.get_or_insert(snap.since_start);
-                if snap.since_start.saturating_sub(start) >= cfg.meeting_dwell {
-                    self.active = true;
-                    self.exit_since = None;
-                    return PrimitiveState::Boolean {
-                        active: true,
-                        changed: true,
-                        reason: Reason::new(&[
-                            "n_persons>=2",
-                            "motion=1-20%",
-                            "dwell>=10min",
-                        ]),
-                    };
-                }
-            } else {
-                self.enter_since = None;
-            }
-            PrimitiveState::Idle
-        } else {
-            let too_few = snap.n_persons < cfg.meeting_min_persons;
-            if too_few {
-                let start = *self.exit_since.get_or_insert(snap.since_start);
-                if snap.since_start.saturating_sub(start) >= EXIT_DWELL {
-                    self.active = false;
-                    self.enter_since = None;
-                    self.exit_since = None;
-                    return PrimitiveState::Boolean {
-                        active: false,
-                        changed: true,
-                        reason: Reason::new(&["n_persons<2", "dwell>=2min"]),
-                    };
-                }
-            } else {
-                self.exit_since = None;
-            }
-            PrimitiveState::Idle
-        }
-    }
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-
-    fn cfg() -> PrimitiveConfig { PrimitiveConfig::default() }
-
-    fn meeting_snap(t_secs: u64, n: u32) -> RawSnapshot {
-        RawSnapshot {
-            since_start: Duration::from_secs(t_secs),
-            presence: true,
-            motion: 0.05,
-            n_persons: n,
-            ..Default::default()
-        }
-    }
-
-    #[test]
-    fn fires_after_dwell_with_2_plus_people() {
-        let mut p = MeetingInProgress::new();
-        let _ = p.tick(&meeting_snap(100, 3), &cfg());
-        let state = p.tick(&meeting_snap(100 + 600, 3), &cfg());
-        match state {
-            PrimitiveState::Boolean { active, .. } => assert!(active),
-            other => panic!("expected on, got {:?}", other),
-        }
-    }
-
-    #[test]
-    fn does_not_fire_with_1_person() {
-        let mut p = MeetingInProgress::new();
-        for t in 100..(100 + 1200) {
-            assert!(matches!(p.tick(&meeting_snap(t, 1), &cfg()), PrimitiveState::Idle));
-        }
-        assert!(!p.active);
-    }
-
-    #[test]
-    fn does_not_fire_with_high_motion() {
-        let mut p = MeetingInProgress::new();
-        for t in 100..(100 + 1200) {
-            let mut s = meeting_snap(t, 3);
-            s.motion = 0.5;
-            assert!(matches!(p.tick(&s, &cfg()), PrimitiveState::Idle));
-        }
-        assert!(!p.active);
-    }
-
-    #[test]
-    fn exits_after_2_min_of_low_count() {
-        let mut p = MeetingInProgress::new();
-        let _ = p.tick(&meeting_snap(100, 3), &cfg());
-        let _ = p.tick(&meeting_snap(100 + 600, 3), &cfg());
-        assert!(p.active);
-        // Drop to 1 person.
-        let _ = p.tick(&meeting_snap(100 + 600 + 1, 1), &cfg());
-        // <2 min: still active.
-        let state = p.tick(&meeting_snap(100 + 600 + 60, 1), &cfg());
-        assert!(matches!(state, PrimitiveState::Idle));
-        assert!(p.active);
-        // Past 2 min: exit.
-        let state2 = p.tick(&meeting_snap(100 + 600 + 130, 1), &cfg());
-        match state2 {
-            PrimitiveState::Boolean { active, .. } => assert!(!active),
-            other => panic!("expected off, got {:?}", other),
-        }
-    }
-}
@@ -1,63 +0,0 @@
-//! ADR-115 §3.12 — Semantic Automation Primitives (HA-MIND).
-//!
-//! Raw signals are not the product. Customers want first-class entities
-//! like `binary_sensor.bedroom_someone_sleeping`, not a Node-RED flow
-//! that thresholds breathing rate at night. This module owns the
-//! inference layer that turns the `sensing-server` broadcast (raw
-//! `edge_vitals` / `pose_data` / `sensing_update`) into the 10 v1
-//! semantic primitives published as HA entities, Matter events, and
-//! Apple Home scene triggers.
-//!
-//! ## Architectural contract
-//!
-//! - **Server-side inference.** All primitives run inside this process.
-//!   Only the inferred *state* (true/false, scalar, event) crosses the
-//!   wire. This is what makes `--privacy-mode` compatible with
-//!   semantic primitives — biometric *values* can be stripped at the
-//!   integration boundary while the inferred *states* still publish.
-//! - **One source of truth.** Each primitive's FSM lives in one file
-//!   alongside its tests. The `SemanticBus` aggregates output and
-//!   broadcasts to MQTT + Matter consumers. Adding a new primitive is
-//!   one file change — no new MQTT discovery schema, no new Matter
-//!   cluster.
-//! - **Explainability.** Every state change carries a `reason`
-//!   payload so HA users can debug *why* a primitive fired.
-//! - **Hysteresis everywhere.** Each primitive has explicit enter /
-//!   exit thresholds + minimum dwell time so a single noisy frame
-//!   never toggles state. Refractory periods prevent alert spam.
-//! - **Warmup suppression.** No primitive fires during the first 60 s
-//!   after start (per §3.12.4 — sensors are still settling).
-//!
-//! ## Primitives (v1)
-//!
-//! | Primitive               | Module                | Output           |
-//! |-------------------------|-----------------------|------------------|
-//! | someone_sleeping        | [`sleeping`]          | binary_sensor    |
-//! | possible_distress       | [`distress`]          | binary_sensor + event |
-//! | room_active             | [`room_active`]       | binary_sensor    |
-//! | elderly_inactivity_…    | [`elderly_anomaly`]   | binary_sensor + event |
-//! | meeting_in_progress     | [`meeting`]           | binary_sensor    |
-//! | bathroom_occupied       | [`bathroom`]          | binary_sensor    |
-//! | fall_risk_elevated      | [`fall_risk`]         | sensor (0-100)   |
-//! | bed_exit                | [`bed_exit`]          | event            |
-//! | no_movement             | [`no_movement`]       | binary_sensor    |
-//! | multi_room_transition   | [`multi_room`]        | event            |
-//!
-//! Each module exports a struct implementing [`Primitive`] and a `new`
-//! constructor that takes a [`PrimitiveConfig`].
-
-mod bathroom;
-mod bed_exit;
-mod bus;
-mod common;
-mod distress;
-mod elderly_anomaly;
-mod fall_risk;
-mod meeting;
-mod multi_room;
-mod no_movement;
-mod room_active;
-mod sleeping;
-
-pub use bus::{SemanticBus, SemanticEvent, SemanticKind};
-pub use common::{PrimitiveConfig, PrimitiveState, RawSnapshot, Reason};
@@ -1,138 +0,0 @@
-//! Multi-room transition primitive (§3.12.1 row 10).
-//!
-//! Edge-triggered event: when an `active_zones` set changes such that
-//! one zone exited AND a different zone entered within
-//! `multi_room_gap` (default 10 s), fire `multi_room_transition` with
-//! the `from_zone` and `to_zone` baked into the reason tags.
-//!
-//! Useful for "who went from X to Y" automations (e.g. light the path,
-//! announce arrival in next room).
-
-use std::collections::HashSet;
-use std::time::Duration;
-
-use super::common::{PrimitiveConfig, PrimitiveState, RawSnapshot, Reason};
-
-#[derive(Debug, Default, Clone)]
-pub struct MultiRoomTransition {
-    last_zones: HashSet<String>,
-    last_exit: Option<(String, Duration)>,
-}
-
-impl MultiRoomTransition {
-    pub fn new() -> Self { Self::default() }
-
-    pub fn tick(&mut self, snap: &RawSnapshot, cfg: &PrimitiveConfig) -> PrimitiveState {
-        if snap.since_start < cfg.warmup {
-            self.last_zones = snap.active_zones.iter().cloned().collect();
-            return PrimitiveState::Idle;
-        }
-        let now: HashSet<String> = snap.active_zones.iter().cloned().collect();
-        let added: Vec<&String> = now.difference(&self.last_zones).collect();
-        let removed: Vec<&String> = self.last_zones.difference(&now).collect();
-
-        let mut result = PrimitiveState::Idle;
-
-        // Record the most recent exit.
-        if let Some(exited) = removed.first() {
-            self.last_exit = Some(((*exited).clone(), snap.since_start));
-        }
-
-        // Match exit with subsequent entry.
-        if let (Some(entered), Some((from_zone, exit_t))) = (added.first(), self.last_exit.as_ref()) {
-            let gap = snap.since_start.saturating_sub(*exit_t);
-            if gap <= cfg.multi_room_gap && from_zone.as_str() != entered.as_str() {
-                let reason = Reason::new(&[
-                    "zone_exit_to_entry",
-                    Box::leak(format!("from={}", from_zone).into_boxed_str()),
-                    Box::leak(format!("to={}", entered).into_boxed_str()),
-                ]);
-                result = PrimitiveState::Event {
-                    event_type: "multi_room_transition",
-                    reason,
-                };
-                // Consume the exit so we don't double-fire.
-                self.last_exit = None;
-            }
-        }
-
-        self.last_zones = now;
-        result
-    }
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-
-    fn cfg() -> PrimitiveConfig { PrimitiveConfig::default() }
-
-    fn zones_snap(t_secs: u64, zones: &[&str]) -> RawSnapshot {
-        RawSnapshot {
-            since_start: Duration::from_secs(t_secs),
-            presence: !zones.is_empty(),
-            active_zones: zones.iter().map(|s| s.to_string()).collect(),
-            ..Default::default()
-        }
-    }
-
-    #[test]
-    fn fires_when_zone_changes_quickly() {
-        let mut p = MultiRoomTransition::new();
-        let _ = p.tick(&zones_snap(120, &["kitchen"]), &cfg());
-        // Exit kitchen.
-        let _ = p.tick(&zones_snap(125, &[]), &cfg());
-        // Enter living room within gap.
-        let state = p.tick(&zones_snap(128, &["living"]), &cfg());
-        match state {
-            PrimitiveState::Event { event_type, reason } => {
-                assert_eq!(event_type, "multi_room_transition");
-                assert!(reason.tags.iter().any(|t| t.contains("from=kitchen")));
-                assert!(reason.tags.iter().any(|t| t.contains("to=living")));
-            }
-            other => panic!("expected event, got {:?}", other),
-        }
-    }
-
-    #[test]
-    fn does_not_fire_after_long_gap() {
-        let mut p = MultiRoomTransition::new();
-        let _ = p.tick(&zones_snap(120, &["kitchen"]), &cfg());
-        let _ = p.tick(&zones_snap(125, &[]), &cfg());
-        // 15 s later — outside default 10 s gap.
-        let state = p.tick(&zones_snap(140, &["living"]), &cfg());
-        assert!(matches!(state, PrimitiveState::Idle));
-    }
-
-    #[test]
-    fn does_not_fire_on_same_zone_re_entry() {
-        let mut p = MultiRoomTransition::new();
-        let _ = p.tick(&zones_snap(120, &["kitchen"]), &cfg());
-        let _ = p.tick(&zones_snap(125, &[]), &cfg());
-        let state = p.tick(&zones_snap(128, &["kitchen"]), &cfg());
-        assert!(matches!(state, PrimitiveState::Idle));
-    }
-
-    #[test]
-    fn warmup_blocks_event() {
-        let mut p = MultiRoomTransition::new();
-        let _ = p.tick(&zones_snap(30, &["kitchen"]), &cfg());
-        let state = p.tick(&zones_snap(40, &["living"]), &cfg());
-        assert!(matches!(state, PrimitiveState::Idle));
-    }
-
-    #[test]
-    fn handles_simultaneous_zone_swap() {
-        // Some sensing scenarios emit exit + enter in the same tick.
-        let mut p = MultiRoomTransition::new();
-        let _ = p.tick(&zones_snap(120, &["kitchen"]), &cfg());
-        // Tick where kitchen left AND living entered simultaneously.
-        let state = p.tick(&zones_snap(123, &["living"]), &cfg());
-        match state {
-            PrimitiveState::Event { event_type, .. } => {
-                assert_eq!(event_type, "multi_room_transition");
-            }
-            other => panic!("expected event, got {:?}", other),
-        }
-    }
-}
@@ -1,135 +0,0 @@
-//! No-movement (safety check) primitive (§3.12.1 row 9).
-//!
-//! Enter `no_movement = ON` when `presence == true` AND motion < 0.01
-//! for ≥`no_movement_dwell` (default 30 min).
-//!
-//! Exit on first frame with motion ≥ 0.01.
-
-use std::time::Duration;
-
-use super::common::{PrimitiveConfig, PrimitiveState, RawSnapshot, Reason};
-
-#[derive(Debug, Default, Clone)]
-pub struct NoMovement {
-    pub active: bool,
-    still_since: Option<Duration>,
-}
-
-impl NoMovement {
-    pub fn new() -> Self {
-        Self::default()
-    }
-
-    pub fn tick(&mut self, snap: &RawSnapshot, cfg: &PrimitiveConfig) -> PrimitiveState {
-        if snap.since_start < cfg.warmup {
-            return PrimitiveState::Idle;
-        }
-        let still = snap.presence && snap.motion < 0.01;
-        if !still {
-            self.still_since = None;
-            if self.active {
-                self.active = false;
-                return PrimitiveState::Boolean {
-                    active: false,
-                    changed: true,
-                    reason: Reason::new(&["motion>=1%"]),
-                };
-            }
-            return PrimitiveState::Idle;
-        }
-        let start = *self.still_since.get_or_insert(snap.since_start);
-        let dwell = snap.since_start.saturating_sub(start);
-        if !self.active && dwell >= cfg.no_movement_dwell {
-            self.active = true;
-            return PrimitiveState::Boolean {
-                active: true,
-                changed: true,
-                reason: Reason::new(&[
-                    "presence=true",
-                    "motion<1%",
-                    "dwell>=30min",
-                ]),
-            };
-        }
-        PrimitiveState::Idle
-    }
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-
-    fn cfg() -> PrimitiveConfig {
-        PrimitiveConfig::default()
-    }
-
-    fn still_snap(t_secs: u64) -> RawSnapshot {
-        RawSnapshot {
-            since_start: Duration::from_secs(t_secs),
-            presence: true,
-            motion: 0.005,
-            ..Default::default()
-        }
-    }
-
-    #[test]
-    fn fires_after_full_dwell() {
-        let mut p = NoMovement::new();
-        // Establish start.
-        let _ = p.tick(&still_snap(60 + 10), &cfg());
-        // 30 min later — fire.
-        let state = p.tick(&still_snap(60 + 10 + 30 * 60), &cfg());
-        match state {
-            PrimitiveState::Boolean { active, changed, .. } => {
-                assert!(active && changed);
-            }
-            other => panic!("expected on/change, got {:?}", other),
-        }
-    }
-
-    #[test]
-    fn does_not_fire_with_motion() {
-        let mut p = NoMovement::new();
-        let mut s = still_snap(60 + 10);
-        s.motion = 0.02;
-        for t in 0..(30 * 60 + 5) {
-            let mut s2 = s.clone();
-            s2.since_start = Duration::from_secs(60 + 10 + t as u64);
-            assert!(matches!(p.tick(&s2, &cfg()), PrimitiveState::Idle));
-        }
-        assert!(!p.active);
-    }
-
-    #[test]
-    fn brief_motion_resets_timer() {
-        let mut p = NoMovement::new();
-        let _ = p.tick(&still_snap(60 + 10), &cfg());
-        // 25 min in — almost there.
-        let _ = p.tick(&still_snap(60 + 10 + 25 * 60), &cfg());
-        // Motion blip resets.
-        let mut blip = still_snap(60 + 10 + 25 * 60 + 1);
-        blip.motion = 0.05;
-        let _ = p.tick(&blip, &cfg());
-        // 5 min more — should NOT fire because timer reset.
-        let state = p.tick(&still_snap(60 + 10 + 30 * 60 + 2), &cfg());
-        assert!(matches!(state, PrimitiveState::Idle));
-        assert!(!p.active);
-    }
-
-    #[test]
-    fn exits_on_motion_after_active() {
-        let mut p = NoMovement::new();
-        let _ = p.tick(&still_snap(60 + 10), &cfg());
-        let _ = p.tick(&still_snap(60 + 10 + 30 * 60), &cfg());
-        assert!(p.active);
-        let mut s = still_snap(60 + 10 + 30 * 60 + 1);
-        s.motion = 0.10;
-        let state = p.tick(&s, &cfg());
-        match state {
-            PrimitiveState::Boolean { active, changed, .. } => {
-                assert!(!active && changed);
-            }
-            other => panic!("expected off/change, got {:?}", other),
-        }
-    }
-}
@@ -1,145 +0,0 @@
-//! Room-active primitive (§3.12.1 row 3).
-//!
-//! Enter `room_active = ON` when presence is true and motion has been
-//! above `room_active_motion_threshold` (default 10 %) at any point in
-//! a rolling `room_active_window` (default 30 s).
-//!
-//! Exit when no motion above threshold for `room_active_exit_idle`
-//! (default 10 min) OR presence drops false.
-
-use std::time::Duration;
-
-use super::common::{PrimitiveConfig, PrimitiveState, RawSnapshot, Reason};
-
-#[derive(Debug, Default, Clone)]
-pub struct RoomActive {
-    pub active: bool,
-    last_motion: Option<Duration>,
-}
-
-impl RoomActive {
-    pub fn new() -> Self {
-        Self::default()
-    }
-
-    pub fn tick(&mut self, snap: &RawSnapshot, cfg: &PrimitiveConfig) -> PrimitiveState {
-        if snap.since_start < cfg.warmup {
-            return PrimitiveState::Idle;
-        }
-        let above_thresh = snap.motion >= cfg.room_active_motion_threshold;
-        if above_thresh && snap.presence {
-            self.last_motion = Some(snap.since_start);
-        }
-
-        let recent_motion = matches!(
-            self.last_motion,
-            Some(t) if snap.since_start.saturating_sub(t) < cfg.room_active_window
-        );
-
-        if !self.active && recent_motion && snap.presence {
-            self.active = true;
-            return PrimitiveState::Boolean {
-                active: true,
-                changed: true,
-                reason: Reason::new(&["motion>10%", "presence=true", "window<30s"]),
-            };
-        }
-        if self.active {
-            let idle_long = matches!(
-                self.last_motion,
-                Some(t) if snap.since_start.saturating_sub(t) >= cfg.room_active_exit_idle
-            ) || self.last_motion.is_none();
-            if !snap.presence || idle_long {
-                self.active = false;
-                let mut tags = Vec::new();
-                if !snap.presence { tags.push("presence=false"); }
-                if idle_long { tags.push("idle>=10min"); }
-                return PrimitiveState::Boolean {
-                    active: false,
-                    changed: true,
-                    reason: Reason::new(&tags),
-                };
-            }
-        }
-        PrimitiveState::Idle
-    }
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-
-    fn cfg() -> PrimitiveConfig {
-        PrimitiveConfig::default()
-    }
-
-    fn snap(t_secs: u64, motion: f64, presence: bool) -> RawSnapshot {
-        RawSnapshot {
-            since_start: Duration::from_secs(t_secs),
-            presence,
-            motion,
-            ..Default::default()
-        }
-    }
-
-    #[test]
-    fn does_not_fire_during_warmup() {
-        let mut p = RoomActive::new();
-        let s = snap(30, 0.5, true);
-        assert!(matches!(p.tick(&s, &cfg()), PrimitiveState::Idle));
-    }
-
-    #[test]
-    fn fires_on_high_motion_with_presence() {
-        let mut p = RoomActive::new();
-        let s = snap(120, 0.4, true);
-        let state = p.tick(&s, &cfg());
-        match state {
-            PrimitiveState::Boolean { active, changed, .. } => {
-                assert!(active);
-                assert!(changed);
-            }
-            other => panic!("expected on/change, got {:?}", other),
-        }
-    }
-
-    #[test]
-    fn does_not_fire_without_presence() {
-        let mut p = RoomActive::new();
-        let state = p.tick(&snap(120, 0.4, false), &cfg());
-        assert!(matches!(state, PrimitiveState::Idle));
-    }
-
-    #[test]
-    fn does_not_fire_below_threshold() {
-        let mut p = RoomActive::new();
-        let state = p.tick(&snap(120, 0.05, true), &cfg());
-        assert!(matches!(state, PrimitiveState::Idle));
-    }
-
-    #[test]
-    fn exits_on_presence_drop() {
-        let mut p = RoomActive::new();
-        let _ = p.tick(&snap(120, 0.4, true), &cfg());
-        let state = p.tick(&snap(125, 0.4, false), &cfg());
-        match state {
-            PrimitiveState::Boolean { active, changed, .. } => {
-                assert!(!active);
-                assert!(changed);
-            }
-            other => panic!("expected off/change, got {:?}", other),
-        }
-    }
-
-    #[test]
-    fn exits_on_extended_idle() {
-        let mut p = RoomActive::new();
-        let _ = p.tick(&snap(120, 0.4, true), &cfg());
-        // Idle below threshold for >10 min.
-        let state = p.tick(&snap(120 + 600, 0.02, true), &cfg());
-        match state {
-            PrimitiveState::Boolean { active, .. } => assert!(!active),
-            other => panic!("expected off, got {:?}", other),
-        }
-    }
-}
@@ -1,227 +0,0 @@
-//! Someone-sleeping primitive (§3.12.1 row 1).
-//!
-//! **Definition (v1):**
-//!
-//! Enter `someone_sleeping = ON` when ALL of the following hold for
-//! `sleep_dwell` (default 300 s):
-//! - `presence == true`
-//! - `motion < 0.05` (rolling)
-//! - `breathing_rate_bpm ∈ [8.0, 20.0]` (rolling, conf ≥ 0.5)
-//!
-//! Exit when `motion > 0.15` for ≥30 s OR presence drops false.
-//!
-//! Heart-rate variability check is deferred to v2 because the broadcast
-//! channel doesn't yet emit HRV; v1 fires on motion + BR + presence
-//! which is the minimum that detects sleep cleanly in the ADR-079
-//! paired-capture validation set.
-
-use std::time::Duration;
-
-use super::common::{PrimitiveConfig, PrimitiveState, RawSnapshot, Reason};
-
-#[derive(Debug, Default, Clone)]
-pub struct SomeoneSleeping {
-    pub active: bool,
-    enter_since: Option<Duration>,
-    exit_since: Option<Duration>,
-}
-
-impl SomeoneSleeping {
-    pub fn new() -> Self {
-        Self::default()
-    }
-
-    /// Process one snapshot, return state change (if any).
-    pub fn tick(&mut self, snap: &RawSnapshot, cfg: &PrimitiveConfig) -> PrimitiveState {
-        if snap.since_start < cfg.warmup {
-            return PrimitiveState::Idle;
-        }
-        let br_ok = matches!(snap.breathing_rate_bpm, Some(bpm) if (8.0..=20.0).contains(&bpm))
-            && snap.vital_confidence >= 0.5;
-        let motion_low = snap.motion < 0.05;
-        let presence_ok = snap.presence;
-
-        if !self.active {
-            if presence_ok && motion_low && br_ok {
-                let start = *self.enter_since.get_or_insert(snap.since_start);
-                if snap.since_start.saturating_sub(start) >= cfg.sleep_dwell {
-                    self.active = true;
-                    self.exit_since = None;
-                    return PrimitiveState::Boolean {
-                        active: true,
-                        changed: true,
-                        reason: Reason::new(&[
-                            "presence=true",
-                            "motion<5%",
-                            "br=8-20bpm",
-                            "dwell>=5min",
-                        ]),
-                    };
-                }
-            } else {
-                self.enter_since = None;
-            }
-            PrimitiveState::Idle
-        } else {
-            // Active — check exit conditions.
-            let exiting = !presence_ok || snap.motion > 0.15;
-            if exiting {
-                let start = *self.exit_since.get_or_insert(snap.since_start);
-                // Presence-drop is immediate; motion-spike requires 30s dwell.
-                if !presence_ok || snap.since_start.saturating_sub(start) >= Duration::from_secs(30) {
-                    self.active = false;
-                    self.enter_since = None;
-                    self.exit_since = None;
-                    let mut tags = Vec::new();
-                    if !presence_ok { tags.push("presence=false"); }
-                    if snap.motion > 0.15 { tags.push("motion>15%"); }
-                    return PrimitiveState::Boolean {
-                        active: false,
-                        changed: true,
-                        reason: Reason::new(&tags),
-                    };
-                }
-            } else {
-                self.exit_since = None;
-            }
-            PrimitiveState::Idle
-        }
-    }
-}
-
-#[cfg(test)]
-mod tests {
-    use super::*;
-
-    fn cfg() -> PrimitiveConfig {
-        PrimitiveConfig::default()
-    }
-
-    fn sleeping_snap(t_secs: u64) -> RawSnapshot {
-        RawSnapshot {
-            since_start: Duration::from_secs(t_secs),
-            presence: true,
-            motion: 0.02,
-            breathing_rate_bpm: Some(13.0),
-            vital_confidence: 0.85,
-            ..Default::default()
-        }
-    }
-
-    #[test]
-    fn does_not_fire_during_warmup() {
-        let mut p = SomeoneSleeping::new();
-        let s = sleeping_snap(30);
-        assert!(matches!(p.tick(&s, &cfg()), PrimitiveState::Idle));
-        assert!(!p.active);
-    }
-
-    #[test]
-    fn fires_after_dwell_post_warmup() {
-        let mut p = SomeoneSleeping::new();
-        // Tick after warmup but before dwell — idle.
-        assert!(matches!(p.tick(&sleeping_snap(60 + 100), &cfg()), PrimitiveState::Idle));
-        // Tick after warmup + dwell — should activate (start was at t=160).
-        let state = p.tick(&sleeping_snap(60 + 100 + 300), &cfg());
-        match state {
-            PrimitiveState::Boolean { active, changed, .. } => {
-                assert!(active);
-                assert!(changed);
-            }
-            other => panic!("expected boolean on/change, got {:?}", other),
-        }
-        assert!(p.active);
-    }
-
-    #[test]
-    fn does_not_fire_when_motion_high() {
-        let mut p = SomeoneSleeping::new();
-        let mut s = sleeping_snap(60 + 100);
-        s.motion = 0.30;
-        for t in 0..600u64 {
-            let mut s2 = s.clone();
-            s2.since_start = Duration::from_secs(60 + 100 + t);
-            assert!(matches!(p.tick(&s2, &cfg()), PrimitiveState::Idle));
-        }
-        assert!(!p.active);
-    }
-
-    #[test]
-    fn does_not_fire_when_br_out_of_range() {
-        let mut p = SomeoneSleeping::new();
-        let mut s = sleeping_snap(60 + 100);
-        s.breathing_rate_bpm = Some(30.0); // too fast
-        let s2 = {
-            let mut x = s.clone();
-            x.since_start = Duration::from_secs(60 + 100 + 600);
-            x
-        };
-        let _ = p.tick(&s, &cfg());
-        assert!(matches!(p.tick(&s2, &cfg()), PrimitiveState::Idle));
-        assert!(!p.active);
-    }
-
-    #[test]
-    fn exits_on_presence_false_immediately() {
-        let mut p = SomeoneSleeping::new();
-        let _ = p.tick(&sleeping_snap(60 + 100), &cfg());
-        let _ = p.tick(&sleeping_snap(60 + 100 + 300), &cfg());
-        assert!(p.active);
-        // Presence drops.
-        let mut s = sleeping_snap(60 + 100 + 301);
-        s.presence = false;
-        let state = p.tick(&s, &cfg());
-        match state {
-            PrimitiveState::Boolean { active, changed, .. } => {
-                assert!(!active);
-                assert!(changed);
-            }
-            other => panic!("expected boolean off/change, got {:?}", other),
-        }
-        assert!(!p.active);
-    }
-
-    #[test]
-    fn exits_on_sustained_motion_only_after_30s() {
-        let mut p = SomeoneSleeping::new();
-        let _ = p.tick(&sleeping_snap(60 + 100), &cfg());
-        let _ = p.tick(&sleeping_snap(60 + 100 + 300), &cfg());
-        assert!(p.active);
-        // Motion spikes for 10 s — too short to exit.
-        let mut s = sleeping_snap(60 + 100 + 310);
-        s.motion = 0.20;
-        let state = p.tick(&s, &cfg());
-        assert!(matches!(state, PrimitiveState::Idle));
-        assert!(p.active);
-        // Motion sustained 30 s → exit.
-        let mut s2 = sleeping_snap(60 + 100 + 340);
-        s2.motion = 0.20;
-        let state2 = p.tick(&s2, &cfg());
-        match state2 {
-            PrimitiveState::Boolean { active, changed, .. } => {
-                assert!(!active);
-                assert!(changed);
-            }
-            other => panic!("expected boolean off/change, got {:?}", other),
-        }
-        assert!(!p.active);
-    }
-
-    #[test]
-    fn brief_motion_blip_does_not_exit() {
-        let mut p = SomeoneSleeping::new();
-        let _ = p.tick(&sleeping_snap(60 + 100), &cfg());
-        let _ = p.tick(&sleeping_snap(60 + 100 + 300), &cfg());
-        assert!(p.active);
-        // Motion spikes briefly then returns to low.
-        let mut s_spike = sleeping_snap(60 + 100 + 305);
-        s_spike.motion = 0.20;
-        let _ = p.tick(&s_spike, &cfg());
-        // Back to low motion within 30s.
-        let s_calm = sleeping_snap(60 + 100 + 315);
-        let state = p.tick(&s_calm, &cfg());
-        assert!(matches!(state, PrimitiveState::Idle));
-        // Still active because exit dwell was reset by calm sample.
-        assert!(p.active);
-    }
-}
@@ -1,349 +0,0 @@
-//! ADR-115 P4 — MQTT integration tests against a real broker.
-//!
-//! These tests require an MQTT broker reachable at `localhost:11883`
-//! (overridable via `RUVIEW_TEST_MQTT_PORT`). They are gated behind the
-//! `mqtt` feature (which pulls in `rumqttc`) **and** behind the
-//! `RUVIEW_RUN_INTEGRATION` env var so the default test run on
-//! developer machines doesn't break when there's no broker.
-//!
-//! In CI, the `.github/workflows/mqtt-integration.yml` workflow spins
-//! up a Mosquitto sidecar container, sets `RUVIEW_RUN_INTEGRATION=1`,
-//! and runs `cargo test -p wifi-densepose-sensing-server --features mqtt
-//! --test mqtt_integration`.
-//!
-//! ## What these tests prove
-//!
-//! 1. The publisher connects to a real broker and emits HA discovery
-//!    `config` topics for every enabled entity.
-//! 2. The discovery payloads round-trip back via `mosquitto_sub`-style
-//!    subscription with the exact JSON shape `mqtt::discovery` produces.
-//! 3. Availability is published `online` retained on connect and
-//!    `offline` on graceful disconnect (the LWT/disconnect path).
-//! 4. Privacy mode strips heart-rate / breathing-rate / pose discovery
-//!    from the wire entirely — the integration confirms the strip
-//!    happens at the broker boundary, not just in unit-test logic.
-//!
-//! ## Why this is gated
-//!
-//! We need a live broker. Pulling `rumqttd` into the dev-dep tree as an
-//! embedded broker would work in theory but adds 60+ transitive deps
-//! and 1+ min compile time to every `cargo test` invocation on every
-//! developer's machine. Gating behind an env var keeps the default
-//! `cargo test --workspace` fast.
-
-#![cfg(feature = "mqtt")]
-
-use std::time::Duration;
-
-use rumqttc::{AsyncClient, Event, EventLoop, MqttOptions, Packet, QoS};
-use serde_json::Value;
-use tokio::sync::broadcast;
-use tokio::time::timeout;
-
-use wifi_densepose_sensing_server::mqtt::{
-    config::{MqttConfig, PublishRates, TlsConfig},
-    publisher::{spawn, OwnedDiscoveryBuilder},
-    state::VitalsSnapshot,
-};
-
-fn should_run() -> Option<u16> {
-    if std::env::var("RUVIEW_RUN_INTEGRATION").is_err() {
-        eprintln!("[skip] set RUVIEW_RUN_INTEGRATION=1 + run a broker on the test port");
-        return None;
-    }
-    let port = std::env::var("RUVIEW_TEST_MQTT_PORT")
-        .ok()
-        .and_then(|s| s.parse().ok())
-        .unwrap_or(11883);
-    Some(port)
-}
-
-fn make_cfg(port: u16, privacy_mode: bool, label: &str) -> std::sync::Arc<MqttConfig> {
-    std::sync::Arc::new(MqttConfig {
-        host: "127.0.0.1".into(),
-        port,
-        username: None,
-        password: None,
-        // Per-test client_id so cargo test --test-threads=1 doesn't make
-        // mosquitto kick the previous session when the next test connects
-        // with the same client_id (default MQTT session-takeover behaviour).
-        client_id: format!("ruview-int-test-{}-{}", std::process::id(), label),
-        discovery_prefix: "homeassistant".into(),
-        tls: TlsConfig::Off,
-        refresh_secs: 60,
-        rates: PublishRates {
-            // Fast rates so the test gets a sample quickly.
-            vitals_hz: 5.0,
-            motion_hz: 5.0,
-            count_hz: 5.0,
-            rssi_hz: 5.0,
-            pose_hz: 5.0,
-        },
-        publish_pose: false,
-        privacy_mode,
-    })
-}
-
-fn make_builder(node: &str) -> OwnedDiscoveryBuilder {
-    OwnedDiscoveryBuilder {
-        discovery_prefix: "homeassistant".into(),
-        node_id: node.into(),
-        node_friendly_name: Some(format!("Test {}", node)),
-        sw_version: "0.7.0-test".into(),
-        model: "integration".into(),
-        via_device: None,
-    }
-}
-
-async fn subscribe_client(port: u16, topics: &[&str]) -> (AsyncClient, EventLoop) {
-    // Per-call unique client_id so subscribers across tests don't take
-    // each other over.
-    let suffix: u64 = std::time::SystemTime::now()
-        .duration_since(std::time::UNIX_EPOCH)
-        .map(|d| d.subsec_nanos() as u64)
-        .unwrap_or(0);
-    let mut opts = MqttOptions::new(
-        format!("ruview-test-sub-{}-{}", std::process::id(), suffix),
-        "127.0.0.1",
-        port,
-    );
-    opts.set_keep_alive(Duration::from_secs(10));
-    opts.set_clean_session(true);
-    let (client, mut eventloop) = AsyncClient::new(opts, 256);
-    for t in topics {
-        client.subscribe(*t, QoS::AtLeastOnce).await.unwrap();
-    }
-
-    // Drive the eventloop until we see the SubAck for our last subscribe.
-    // Without this the SUBSCRIBE packet is only queued in rumqttc's
-    // outbound channel; it doesn't reach the broker until something
-    // pumps the eventloop. The caller's `collect_published` does that,
-    // but by then the publisher may already have emitted state
-    // messages — including the retained ones that won't be re-sent.
-    let until = tokio::time::Instant::now() + Duration::from_secs(3);
-    while tokio::time::Instant::now() < until {
-        let remain = until - tokio::time::Instant::now();
-        match timeout(remain, eventloop.poll()).await {
-            Ok(Ok(Event::Incoming(Packet::SubAck(_)))) => break,
-            Ok(Ok(_)) => continue,
-            Ok(Err(e)) => {
-                eprintln!("[subscribe_client] eventloop error before SubAck: {e}");
-                break;
-            }
-            Err(_) => break,
-        }
-    }
-
-    (client, eventloop)
-}
-
-async fn collect_published(
-    eventloop: &mut EventLoop,
-    deadline: Duration,
-) -> Vec<(String, Vec<u8>, bool)> {
-    let mut out = Vec::new();
-    let until = tokio::time::Instant::now() + deadline;
-    while tokio::time::Instant::now() < until {
-        let remain = until - tokio::time::Instant::now();
-        match timeout(remain, eventloop.poll()).await {
-            Ok(Ok(Event::Incoming(Packet::Publish(p)))) => {
-                out.push((p.topic, p.payload.to_vec(), p.retain));
-            }
-            Ok(Ok(_)) => {} // ignore other events
-            Ok(Err(e)) => {
-                eprintln!("[test] eventloop error: {}", e);
-                break;
-            }
-            Err(_) => break,
-        }
-    }
-    out
-}
-
-#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
-async fn discovery_topics_appear_on_broker() {
-    let Some(port) = should_run() else { return; };
-
-    // Subscriber wired first so we don't miss the initial discovery burst.
-    let (sub, mut sub_loop) =
-        subscribe_client(port, &["homeassistant/#"]).await;
-
-    // Spawn the publisher.
-    let cfg = make_cfg(port, false, "discovery");
-    let builder = make_builder("inttest1");
-    let (_tx, rx) = broadcast::channel::<VitalsSnapshot>(32);
-    let _handle = spawn(cfg, builder, rx);
-
-    // Drain the subscriber for up to 6 s — enough for initial discovery
-    // + first availability publication.
-    let msgs = collect_published(&mut sub_loop, Duration::from_secs(6)).await;
-    let _ = sub.disconnect().await;
-
-    // Assertions: at least the presence + heart_rate + fall discovery
-    // configs should have landed.
-    let topics: Vec<&str> = msgs.iter().map(|(t, _, _)| t.as_str()).collect();
-    let presence_cfg = topics
-        .iter()
-        .any(|t| t.ends_with("/wifi_densepose_inttest1/presence/config"));
-    let hr_cfg = topics
-        .iter()
-        .any(|t| t.ends_with("/wifi_densepose_inttest1/heart_rate/config"));
-    let fall_cfg = topics
-        .iter()
-        .any(|t| t.ends_with("/wifi_densepose_inttest1/fall/config"));
-
-    assert!(presence_cfg, "missing presence discovery topic in {:?}", topics);
-    assert!(hr_cfg, "missing heart_rate discovery topic in {:?}", topics);
-    assert!(fall_cfg, "missing fall discovery topic in {:?}", topics);
-
-    // Spot-check the JSON shape of one discovery payload.
-    let presence_payload = msgs
-        .iter()
-        .find(|(t, _, _)| t.ends_with("/presence/config"))
-        .map(|(_, p, _)| p.clone())
-        .unwrap();
-    let json: Value = serde_json::from_slice(&presence_payload).unwrap();
-    assert_eq!(json["device_class"], "occupancy");
-    assert_eq!(json["payload_on"], "ON");
-    assert_eq!(json["payload_off"], "OFF");
-    assert!(json["unique_id"]
-        .as_str()
-        .unwrap()
-        .starts_with("wifi_densepose_"));
-}
-
-#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
-async fn privacy_mode_suppresses_biometric_discovery() {
-    let Some(port) = should_run() else { return; };
-
-    let (sub, mut sub_loop) =
-        subscribe_client(port, &["homeassistant/#"]).await;
-
-    let cfg = make_cfg(port, /* privacy_mode = */ true, "privacy");
-    let builder = make_builder("inttest2");
-    let (_tx, rx) = broadcast::channel::<VitalsSnapshot>(32);
-    let _handle = spawn(cfg, builder, rx);
-
-    let msgs = collect_published(&mut sub_loop, Duration::from_secs(6)).await;
-    let _ = sub.disconnect().await;
-
-    let topics: Vec<&str> = msgs.iter().map(|(t, _, _)| t.as_str()).collect();
-
-    // Biometric discovery must NOT appear.
-    let leaked_hr = topics
-        .iter()
-        .any(|t| t.contains("/inttest2/heart_rate/"));
-    let leaked_br = topics
-        .iter()
-        .any(|t| t.contains("/inttest2/breathing_rate/"));
-    let leaked_pose = topics.iter().any(|t| t.contains("/inttest2/pose/"));
-
-    assert!(!leaked_hr, "heart_rate leaked under privacy mode: {:?}", topics);
-    assert!(!leaked_br, "breathing_rate leaked under privacy mode");
-    assert!(!leaked_pose, "pose leaked under privacy mode");
-
-    // Non-biometric entities + semantic primitives still appear.
-    let presence_cfg = topics
-        .iter()
-        .any(|t| t.ends_with("/wifi_densepose_inttest2/presence/config"));
-    let sleeping_cfg = topics.iter().any(|t| {
-        t.ends_with("/wifi_densepose_inttest2/someone_sleeping/config")
-    });
-
-    assert!(presence_cfg, "presence missing in privacy mode");
-    assert!(
-        sleeping_cfg,
-        "someone_sleeping must remain in privacy mode (it's inferred, not biometric)"
-    );
-}
-
-#[tokio::test(flavor = "multi_thread", worker_threads = 2)]
-async fn state_messages_published_on_snapshot_broadcast() {
-    let Some(port) = should_run() else { return; };
-
-    // Subscribe to the entire homeassistant tree so the diagnostic
-    // capture shows EVERYTHING the publisher is doing, not just
-    // the narrow presence/state filter — narrow filters can hide
-    // ordering issues (e.g., if the publisher is publishing only
-    // discovery and not state, a narrow filter on state can't tell
-    // us that).
-    let (sub, mut sub_loop) = subscribe_client(port, &["homeassistant/#"]).await;
-
-    let cfg = make_cfg(port, false, "state");
-    let builder = make_builder("inttest3");
-    let (tx, rx) = broadcast::channel::<VitalsSnapshot>(32);
-    let _handle = spawn(cfg, builder, rx);
-
-    // Iter 46 — instead of front-loading 6 snapshots and hoping the
-    // publisher's startup beats them, drive snapshots in a background
-    // task THROUGHOUT the capture window. CI runners can be slow to
-    // boot the publisher (mosquitto sidecar + cold cargo cache + slow
-    // QoS-1 discovery publishes), so a "publisher must be ready by
-    // t=3s" assumption is fragile. Steady-state ON/OFF traffic for the
-    // full 14 s window guarantees both states appear in the capture
-    // even if the first 3-5 s of publishes are missed.
-    let tx_bg = tx.clone();
-    let drive = tokio::spawn(async move {
-        // Brief warm-up before first publish.
-        tokio::time::sleep(Duration::from_secs(1)).await;
-        for i in 0..40 {
-            let _ = tx_bg.send(VitalsSnapshot {
-                node_id: "inttest3".into(),
-                timestamp_ms: 1779_512_400_000 + (i as i64) * 300,
-                presence: i % 2 == 0,
-                fall_detected: false,
-                motion: if i % 2 == 0 { 0.40 } else { 0.02 },
-                motion_energy: 800.0,
-                presence_score: if i % 2 == 0 { 0.95 } else { 0.10 },
-                breathing_rate_bpm: Some(14.0),
-                heartrate_bpm: Some(72.0),
-                n_persons: if i % 2 == 0 { 1 } else { 0 },
-                rssi_dbm: Some(-48.0),
-                vital_confidence: 0.9,
-            });
-            tokio::time::sleep(Duration::from_millis(300)).await;
-        }
-    });
-
-    // 14 s window covers warm-up + 12 s of steady-state ON/OFF traffic.
-    let msgs = collect_published(&mut sub_loop, Duration::from_secs(14)).await;
-    drive.abort();
-    let _ = sub.disconnect().await;
-
-    // Diagnostic: dump every captured topic so we can see what (if
-    // anything) the subscriber received. CI runs with --nocapture, so
-    // this lands in the workflow log when the test fails.
-    eprintln!("[diag] subscriber captured {} messages:", msgs.len());
-    for (t, p, retain) in &msgs {
-        eprintln!(
-            "[diag]   retain={} topic={} payload={}",
-            retain,
-            t,
-            String::from_utf8_lossy(p).chars().take(80).collect::<String>(),
-        );
-    }
-
-    // Filter for THIS test's presence state messages. The topic format
-    // is `homeassistant/binary_sensor/wifi_densepose_<node>/presence/state`
-    // — `wifi_densepose_inttest3` is one path segment with an underscore
-    // separator, NOT slash-separated. The previous version looked for
-    // `/inttest3/presence/state` (with leading slash) which is the bug
-    // that took 5 commits + a diagnostic dump to find.
-    let presence_states: Vec<String> = msgs
-        .iter()
-        .filter(|(t, _, _)| t.contains("wifi_densepose_inttest3/presence/state"))
-        .map(|(_, p, _)| String::from_utf8_lossy(p).into_owned())
-        .collect();
-
-    assert!(
-        presence_states.iter().any(|p| p == "ON"),
-        "expected ON state, got {:?} (of {} total captured)",
-        presence_states,
-        msgs.len(),
-    );
-    assert!(
-        presence_states.iter().any(|p| p == "OFF"),
-        "expected OFF state, got {:?}",
-        presence_states
-    );
-}