Merge pull request #1026 from ruvnet/feat/v2-beyond-sota-sweep-m8

Beyond-SOTA sweep M8 (ADR-162): enforce plugin Ed25519 signatures + capability isolation + bounded RunModes

docs/adr/ADR-161-homecore-server-layer-security.md

@@ -0,0 +1,267 @@
+# ADR-161: HOMECORE Server Layer — WebSocket Auth Bypass, Reply-Theater & Documented-but-No-Op Automation (Security & Honest Labeling)
+
+- **Status**: accepted
+- **Date**: 2026-06-12
+- **Deciders**: ruv
+- **Tags**: homecore, http-ws-boundary, websocket-auth-bypass, security, automation-engine, documented-no-op, prove-everything, soundness, honest-labeling
+- **Amends**: ADR-130 (HOMECORE-API WS protocol), ADR-129 (HOMECORE-AUTO automation engine), ADR-128 (plugin manifest)
+
+## Context
+
+Beyond-SOTA sweep **Milestone 7**, over the HOMECORE **server/network layer**
+crates only — `homecore-api`, `homecore-server`, `homecore-automation`,
+`homecore-hap`, `homecore-plugins` — executed under the project's
+**prove-everything / anti-"AI-slop"** directive.
+
+### Headline — the library cores are real, but the network boundary was unsound
+
+The same audit pattern as ADR-160 held for the *library logic*: the automation
+trigger/condition/template/action evaluators, the REST handlers, the HAP
+mapping, and the plugin manifest parser are **real, tested code** — not stubs.
+That is the anti-slop positive and it is cited here as such.
+
+What the audit found was **not fake business logic but an unsound trust
+boundary plus documented-but-no-op features**:
+
+1. A **CRITICAL WebSocket authentication bypass** — the WS handshake accepted
+   any non-empty token, ignoring the provisioned token whitelist the REST path
+   enforces.
+2. **Reply-theater** — WS command responses were computed, then logged and
+   **discarded**; no `result`/`pong`/`event` ever reached the client.
+3. **Documented-but-idle automation** — the engine was constructed and dropped
+   (never started); time triggers, `RunMode`, `Choose` branches, and template
+   conditions were each **documented as working but were no-ops in the live
+   path**.
+
+This is a worse class than ADR-160's over-naming: here the **doc claimed a
+capability the code did not deliver** (auth enforcement, reply transport,
+running automations). The fix is **implement where feasible, honestly relabel
+where not — never leave a false doc.** Every fix is pinned by a test that
+**fails on the old code**.
+
+Grading vocabulary (ADR-152 / ADR-158 / ADR-160):
+- **MEASURED** — reproduced in this worktree, command + failing-on-old test recorded.
+- **NO-ACTION (already-honest/already-hardened)** — audited, found correct, cited as a positive.
+- **ACCEPTED-FUTURE** — deliberately deferred, nothing dropped.
+
+## Decision — Fixes Landed
+
+### §A1 — WebSocket auth bypass (CRITICAL, security) — MEASURED
+
+`homecore-api/src/ws.rs` handshake checked only `token.trim().is_empty()` and
+sent `auth_ok` for **any** non-empty token. It never called
+`state.tokens().is_valid()` — the check the REST path uses via
+`auth::BearerAuth`. With a provisioned `HOMECORE_TOKENS` whitelist, **any
+attacker-chosen non-empty token got full WS access** (read all states, call any
+service, subscribe to all events).
+
+**Real fix:** the handshake now calls
+`state.tokens().is_valid(&token).await` (the *same* store + method as REST).
+A wrong token receives `auth_invalid` and the socket closes. DEV (`allow_any`)
+mode still accepts any non-empty bearer with a warn, so smoke tests keep
+working; the empty token is rejected inside `is_valid`.
+
+**Failing-on-old test** (`tests/ws_handshake.rs`):
+`wrong_token_is_rejected` — provisions a real (non-dev) store with one good
+token, sends a DIFFERENT non-empty token over the WS handshake, asserts
+`auth_invalid`. On the old source the client received
+`{"type":"auth_ok",…}` (verified: the test panics on old `ws.rs` with
+`left: "auth_ok", right: "auth_invalid"`). Companion: `correct_token_is_accepted`.
+**Grade: MEASURED. This is the milestone headline.**
+
+### §A2 — WS replies never transmitted (HIGH, functional) — MEASURED
+
+`ws.rs::Connection::run` moved the socket into a recv-only task; the only
+consumer of the response mpsc just did `debug!("ws emit: {msg}")` and dropped
+every message. No command reply ever reached the wire.
+
+**Real fix:** the socket is split with `futures_util::StreamExt::split`. A
+dedicated **writer task** drains the response channel onto `sink.send(...)`
+(text frames; a `__pong:<n>` sentinel maps to a Pong control frame); the reader
+task parses commands concurrently. On reader exit the senders drop and the
+writer task ends cleanly.
+
+**Failing-on-old tests:** `result_reply_is_received` (connect → auth →
+`get_states` → assert a `result` reply is RECEIVED within 5s) and
+`ping_pong_reply_is_received`. Both time out on the old source (verified:
+`Elapsed` panic). **Grade: MEASURED.**
+
+### §A8 — `homecore-api` bin: no env-token path, network-exposed (HIGH, security) — MEASURED
+
+`homecore-api/src/bin/server.rs` bound `0.0.0.0:8123` with
+`SharedState::new()` → `allow_any_non_empty()` and **no** `HOMECORE_TOKENS`
+path (unlike `homecore-server`), so a provisioned operator had no way to lock
+it down.
+
+**Real fix:** the bin now mirrors `homecore-server`'s provisioning — prefer the
+`HOMECORE_TOKENS` whitelist (`LongLivedTokenStore::from_env()`), fall back to an
+**explicitly warn-logged** DEV mode only when unset. It also defaults the bind
+address to **`127.0.0.1`** (loopback) so a bare `cargo run` is not
+network-exposed, with `HOMECORE_BIND` to opt into LAN.
+
+**Failing-on-old test** (`tests/server_bin_auth.rs`):
+`provisioned_bin_rejects_wrong_bearer` reproduces the bin's exact provisioning
+path (a populated, non-dev store) and asserts a wrong bearer → 401;
+`from_env_path_enforces_whitelist` proves `from_env()` is not dev mode and
+enforces the list. The old bin's `allow_any_non_empty()` accepted the wrong
+bearer. **Grade: MEASURED.**
+
+### §A3 — Automation engine never started (HIGH) — MEASURED
+
+`homecore-server/src/main.rs` did `let _automation_engine = AutomationEngine::new(...)`
+then dropped it immediately, while the header doc claimed "Automation engine
+subscribed to the state machine."
+
+**Real fix:** the engine is now built into a long-lived binding and `.start()`
+is called, spawning the event loop + timer task; the header/log lines state it
+is started with N automations and which trigger classes are active. (With A4–A7
+the running engine is genuinely functional, not theater.)
+
+**Evidence:** the engine-behavior tests below run against the same
+`AutomationEngine::start()` path now wired into the bin. **Grade: MEASURED.**
+
+### §A4 — `Trigger::Time` hard-coded `false`, no timer (HIGH) — MEASURED
+
+`trigger.rs::matches_sync` returned `false` for `Time` and there was **no timer
+task** anywhere, so time automations could never fire.
+
+**Real fix:** `AutomationEngine::start_timer` — a 1 Hz tokio interval that
+compares each `time:` automation's `at` (`HH:MM` or `HH:MM:SS`) against the
+local wall-clock second and fires it once per match (conditions still gate it).
+`matches_sync` returning `false` for `Time` is now **correct and documented**
+(it is a wall-clock trigger with no state-change context); a public
+`fire_time_for_test` exposes the same path deterministically.
+
+**Failing-on-old test** (`tests/engine_behaviors.rs`):
+`time_trigger_fires_via_timer_path` (+ unit `time_at_matches_handles_hh_mm_and_hh_mm_ss`).
+The method does not exist on the old engine. **Grade: MEASURED.**
+
+### §A5 — `RunMode` documented as AtomicBool-enforced but unbounded-parallel (HIGH) — MEASURED
+
+`engine.rs` doc claimed "RunMode::Single is enforced via a per-automation
+AtomicBool" — but no such code existed and **every** trigger spawned an
+unbounded parallel task regardless of `mode`.
+
+**Real fix:** each registered automation carries a `running: Arc<AtomicBool>`.
+`Single`/`IgnoreFirst` modes `compare_exchange` the flag before spawning and
+**skip** the trigger if a run is already in flight, clearing it on completion;
+`Parallel` (and, for now, `Restart`/`Queued`) spawn on every trigger.
+
+**Failing-on-old tests** (`tests/engine_behaviors.rs`):
+`single_mode_does_not_double_fire_on_rapid_triggers` (two rapid triggers while
+the first run sleeps → exactly **1** run; old code fired **2**, verified) and
+`parallel_mode_does_fire_concurrently` (→ 2). **Grade: MEASURED (Single/Parallel
+honored; bounded `Queued`/`Restart`/`max` ordering → ACCEPTED-FUTURE, see below).**
+
+### §A6 — `Action::Choose` ignored branches (HIGH) — MEASURED
+
+`action.rs` discarded `choices` and always ran `default`.
+
+**Real fix:** `ChoiceBranch::matches` deserialises each branch's
+`serde_yaml::Value` conditions into `Condition` and evaluates them (AND
+semantics, against an `EvalContext` now carried on `ExecutionContext`). `Choose`
+runs the **first matching branch's** sequence and falls to `default` only if
+none match.
+
+**Failing-on-old tests** (`action.rs` inline):
+`choose_runs_matching_branch_not_default` (matching branch runs, default does
+NOT — old code ran default, verified) and
+`choose_falls_to_default_when_no_branch_matches`. **Grade: MEASURED.**
+
+### §A7 — Template conditions always false in the live engine (MEDIUM) — MEASURED
+
+`condition.rs` returned `false` for `Template` whenever `template_env` was
+`None`, and the engine built every `EvalContext` with `template_env: None`
+(`EvalContext::new`), so `template:` conditions could never be true in
+production — only in unit tests that hand-built a template env.
+
+**Real fix:** the engine constructs one `TemplateEnvironment` over the state
+machine and threads it into every `EvalContext` via
+`EvalContext::with_templates` (event loop, timer task, and
+`ExecutionContext` for `Choose` branches).
+
+**Failing-on-old tests** (`tests/engine_behaviors.rs`):
+`template_condition_evaluates_true_in_engine` (a `{{ is_state(...) }}` condition
+gates an action true) and `template_condition_evaluates_false_blocks_action`.
+On the old engine the action never ran (template always false, verified).
+**Grade: MEASURED.**
+
+### §B5 — Plugin manifest sig/hash "verified before execution" doc was false (LOW, honesty) — relabeled
+
+`homecore-plugins/src/manifest.rs` documented `wasm_module_hash` as "verified
+before execution" and carried `wasm_module_sig` / `publisher_key`, but these
+fields are **never read** for verification (only ever set to `None` in tests).
+
+**Fix (honest labeling — no false capability claimed):** the three fields are
+re-doc'd **"(P4 — not yet enforced, ADR-161/B5)"** — parsed and round-tripped,
+but no integrity/signature check happens before a plugin runs. No verification
+code was added (that is P4); the doc now matches the code.
+**Grade: doc-honesty (no behavior change).** *(Superseded by ADR-162 §P4:
+the hash/signature gate is now implemented and enforced.)*
+
+## Negative Results (NO-ACTION positives — audited, found correct, cited not edited)
+
+These were checked and are genuinely sound/honest; cited as positives, **not**
+touched:
+- **CSPRNG correctness** — all IDs are `uuid::v4`; the rng/`randn` suspicion was
+  **REFUTED**. No weak-randomness issue exists.
+- **CORS allowlist** (`app.rs`) — already hardened (explicit `AllowOrigin::list`,
+  no `permissive()`, `allow_credentials(false)`, env override). NO-ACTION.
+- **No path traversal in `homecore-migrate`** — audited, clean.
+- **No secrets in logs** — audited, clean.
+- **HAP pairing stub** — honestly disclaimed as a surface stub; not over-claimed.
+- **`InProcessRuntime` "no sandbox" disclaimer** — honest; left as-is.
+
+## Deferred Backlog (Nothing Dropped)
+
+- **Plugin authority-isolation (P5)** — ~~`homecore_permissions` claims are parsed
+  but not enforced at the host-call boundary.~~ **DONE — ADR-162 §P5.**
+  `hc_state_set` now consults a `PermissionSet` distilled from the manifest;
+  an undeclared write returns a typed `-3` to the guest.
+- **Plugin signature/hash verification (P4)** — ~~implement the
+  `wasm_module_hash`/`wasm_module_sig`/`publisher_key` gate that B5 now honestly
+  says is absent.~~ **DONE — ADR-162 §P4.** `WasmtimeRuntime::load_plugin` now
+  SHA-256-checks the module, Ed25519-verifies the signature against
+  `publisher_key`, and enforces a `PluginPolicy` trust allowlist
+  (secure-default rejects unsigned/untrusted/tampered modules).
+- **HAP real pairing (P2)** — SRP/HKDF pairing + encrypted sessions; current
+  bridge is an accessory-mapping surface. **ACCEPTED-FUTURE (honestly stubbed).**
+- **`RunMode::Queued`/`Restart`/`max` ordering** — ~~`Single`/`Parallel` are
+  honored; bounded queueing, restart-kill, and `max` concurrency are not yet
+  wired (every non-Single mode is parallel).~~ **DONE — ADR-162 §A5.** Restart
+  aborts the in-flight task, Queued serializes via a per-automation async mutex,
+  and `max: N` caps concurrency via a per-automation semaphore.
+- **Automation YAML load-at-boot** — the engine starts empty; a YAML loader is
+  P-next. The bin log states "0 automations registered" honestly.
+
+## Reproduction (MEASURED)
+
+```bash
+cd v2
+cargo test -p homecore-api -p homecore-server -p homecore-automation -p homecore-hap --no-default-features
+cargo test -p homecore-plugins --features wasmtime
+cargo build --workspace --no-default-features
+```
+
+Result at time of writing (all 0 failed):
+- **homecore-api** — **25 passed** (lib 18; `server_bin_auth` 3; `ws_handshake` 4)
+- **homecore-automation** — **42 passed** (lib 37; `engine_behaviors` 5)
+- **homecore-hap** — **17 passed**
+- **homecore-server** — bin, **0 tests**
+- (**homecore-plugins** — **15 passed**: lib 12; integration 3)
+- Full workspace `cargo build --workspace --no-default-features` succeeds.
+
+## Consequences
+
+- The WebSocket path can no longer be entered with a forged token — it enforces
+  the same `LongLivedTokenStore` whitelist as REST (A1).
+- WS clients now actually receive `result`/`pong`/`event` frames (A2).
+- The `homecore-api` dev bin defaults to loopback and honors `HOMECORE_TOKENS`
+  (A8); it is no longer an open `0.0.0.0` accept-any endpoint by default.
+- The automation engine is started for real and its time triggers, `Single`
+  run-mode, `Choose` branches, and `template:` conditions all function — no doc
+  claims a capability the code lacks (A3–A7).
+- The plugin manifest no longer claims signature verification it does not
+  perform (B5).
+- Files kept under the 500-line guideline (`engine.rs` 462; behavioral tests
+  moved to `tests/engine_behaviors.rs`).

docs/adr/ADR-162-plugin-security-and-bounded-runmodes.md

@@ -0,0 +1,186 @@
+# ADR-162: HOMECORE Plugin Security (Signature + Capability Isolation) & Bounded Automation RunModes — Making ADR-161's Deferred Claims TRUE
+
+- **Status**: accepted
+- **Date**: 2026-06-12
+- **Deciders**: ruv
+- **Tags**: homecore, homecore-plugins, homecore-automation, plugin-security, wasm-signature-verification, ed25519, capability-isolation, runmode, prove-everything, soundness, honest-labeling
+- **Amends**: ADR-161 (relabelled P4/P5 + §A5 deferrals → now enforced), ADR-128 (plugin manifest), ADR-129 (automation engine)
+
+## Context
+
+Beyond-SOTA sweep **Milestone 8**, scoped to `homecore-plugins` and
+`homecore-automation` only, under the project's **prove-everything /
+anti-"AI-slop"** directive.
+
+ADR-161 (Milestone 7) did the honest thing with three plugin/automation
+items it could not finish in that window: rather than fake them, it **relabelled
+them as deferred** —
+
+- **P4** (plugin signature verification): the manifest's `wasm_module_hash` /
+  `wasm_module_sig` / `publisher_key` were re-doc'd "(P4 — not yet enforced,
+  ADR-161/B5)" — parsed and round-tripped, but **never checked** before a
+  plugin runs.
+- **P5** (plugin authority isolation): `homecore_permissions` claims were
+  parsed but **never consulted**; `hc_state_set` let any plugin write any
+  entity, including `lock.*` / `alarm_control_panel.*`.
+- **§A5** (`RunMode`): `Single`/`Parallel` were honored; `Restart`/`Queued`/
+  `max: N` were honestly documented as still **unbounded-parallel**.
+
+### Headline — the deferred security items are now ENFORCED + TESTED
+
+M8 turns those honest deferrals into real, tested behavior. The plugin trust
+boundary is now sound (a tampered module, an untrusted publisher, or an
+unsigned module is rejected by the secure default), an over-privileged plugin
+write is denied with a typed error, and the bounded run-modes actually bound.
+**Every fix is pinned by a test that FAILS on the pre-M8 code** — each of the
+three RunMode tests was additionally run against a simulated unbounded-parallel
+dispatch and confirmed to panic.
+
+The Ed25519 crypto reuses the in-repo `cog-ha-matter::witness_signing` pattern
+(same `ed25519-dalek` 2.x API, same deterministic-test-key convention). SHA-256
+matches the `sha256:` prefix the manifest already declared and the
+`cog-ha-matter` cog manifest's `binary_sha256` hex convention. No new external
+dependency tree was introduced — `ed25519-dalek` / `sha2` / `hex` / `base64`
+were already in the workspace `Cargo.lock` (cog-ha-matter / bfld pull them in);
+only new dependency *edges* were added to `homecore-plugins`.
+
+Grading vocabulary (ADR-152 / ADR-158 / ADR-160 / ADR-161):
+- **MEASURED** — reproduced in this worktree, command + failing-on-old test recorded.
+- **ACCEPTED-FUTURE** — deliberately deferred, nothing dropped.
+
+## Decision — Fixes Landed
+
+### §P4 — Plugin signature & integrity verification (SECURITY) — MEASURED
+
+`homecore-plugins/src/manifest.rs` declared `wasm_module_hash` /
+`wasm_module_sig` / `publisher_key` but they were **never read** for
+verification; the load path (`wasmtime_runtime.rs`) instantiated any `.wasm`
+bytes handed to it.
+
+**Real fix** (`src/verify.rs`, wired into `WasmtimeRuntime::load_plugin`):
+before instantiation the runtime now —
+
+1. computes the **SHA-256** of the actual `.wasm` bytes and rejects if it ≠ the
+   manifest's `wasm_module_hash` (`sha256:<hex>`) — tamper detection;
+2. verifies the **Ed25519** `wasm_module_sig` (`ed25519:<base64>`, 64-byte raw)
+   over the 32-byte digest against `publisher_key` (`ed25519:<base64>`, 32-byte
+   raw) and rejects on failure;
+3. enforces a configurable **trust policy** — `PluginPolicy::trusted(&[keys])`
+   is an allowlist of publisher verifying keys; `PluginPolicy::AllowUnsigned`
+   is an explicit dev escape hatch that LOGS a loud `warn` on every load it
+   waves through. The **secure default rejects unsigned and unknown-publisher
+   modules.** `PluginPolicy::deny_all()` trusts no publisher.
+
+A typed `PluginError::SignatureRejected` is returned (no host panic). The
+legacy permission-free `load_wasm` is retained for first-party/trusted/test
+modules; production loading goes through `load_plugin`.
+
+**Failing-on-old tests** (`tests/integration.rs`, `--features wasmtime`) — all
+drive `load_plugin`, which **did not exist** on the old code (so the gate is
+genuinely new):
+- `p4_tampered_module_is_rejected` — a byte-flipped `.wasm` → hash mismatch → rejected.
+- `p4_valid_sig_from_trusted_key_loads` — a valid sig from an allowlisted key loads.
+- `p4_valid_sig_from_untrusted_key_is_rejected` — a correctly-signed module from a key NOT on the allowlist is rejected.
+- `p4_unsigned_module_rejected_by_default_loads_only_under_allow_unsigned` — unsigned rejected under `deny_all`, loads (with warn) only under `AllowUnsigned`.
+- Unit (`src/verify.rs`): `valid_sig_from_trusted_key_passes`, `tampered_module_is_rejected`, `valid_sig_from_untrusted_key_is_rejected`, `forged_signature_is_rejected`, `unsigned_module_rejected_under_default_policy`.
+
+A real deterministic keypair signs real `.wasm` bytes in the tests.
+The manifest doc now reads **"(P4 — ENFORCED, ADR-162)"**. **Grade: MEASURED. Milestone headline.**
+
+### §P5 — Plugin authority / capability isolation (SECURITY) — MEASURED
+
+`wasmtime_runtime.rs::hc_state_set` applied any write a plugin requested,
+ignoring the manifest's `homecore_permissions`.
+
+**Real fix** (`src/permissions.rs` + `hc_state_set`): the manifest's
+`homecore_permissions` (the `state:write:<glob>` form, or a bare entity glob
+like `light.*`) are distilled into a `PermissionSet` installed in the plugin's
+Wasmtime store. The `hc_state_set` host import consults
+`permissions.may_write(entity_id)` before applying a write and returns a typed
+`-3` (permission denied) to the guest on a violation — **the host is not
+panicked.** Wasmtime already gives memory isolation; this adds **authority**
+isolation. A plugin with **no** write grants can write nothing (secure default).
+
+**Failing-on-old tests** (`tests/integration.rs`, `--features wasmtime`):
+- `p5_declared_light_plugin_may_write_light_but_not_lock` — a `light.*` plugin writes `light.kitchen` (succeeds) but is REJECTED (`-3`, and the entity is not written) when it tries `lock.front_door`.
+- `p5_plugin_with_no_permissions_can_write_nothing` — a plugin with empty `homecore_permissions` cannot write `light.kitchen`.
+- Unit (`src/permissions.rs`): domain-glob, exact-grant, wildcard, read-grants-don't-confer-write, no-permissions, and explicit `state:write:` form.
+
+The manifest doc now reads **"(P5 — ENFORCED, ADR-162)"**. **Grade: MEASURED.**
+
+### §A5 — Bounded automation RunModes (Restart / Queued / max) — MEASURED
+
+`homecore-automation/src/engine.rs` (per ADR-161) honored `Single`/`Parallel`
+but spawned an unbounded parallel task for `Restart`/`Queued`/`max`.
+
+**Real fix** (`src/runmode.rs`, a per-automation `RunState` the engine owns and
+dispatches through at all three trigger sites — event loop, timer, test hook):
+- **Restart** — aborts the in-flight action task via `tokio::task::AbortHandle`, then starts a fresh one.
+- **Queued** — serializes runs in arrival order via a per-automation async `Mutex`: sequential, never concurrent, nothing dropped.
+- **max: N** — caps concurrency at N via a per-automation `Semaphore`; triggers beyond N **queue** (await a permit) rather than running concurrently. (HA bounded `parallel`/`queued` semantics — chosen and documented as *queue beyond N*, not drop.)
+- `Single`/`IgnoreFirst` re-entrancy guard and `Parallel` preserved.
+
+`engine.rs` trimmed to **433 lines**; the run-mode machinery lives in the new
+`runmode.rs` (153 lines) to keep both under the 500-line guideline.
+
+**Failing-on-old tests** (`tests/engine_behaviors.rs`) — each was run against a
+simulated unbounded-parallel dispatch and confirmed to panic:
+- `restart_mode_cancels_prior_run` — prior run is aborted: exactly **1** completion (old: both ran → 2).
+- `queued_mode_runs_sequentially_not_concurrently` — 3 rapid triggers all run, **max observed concurrency = 1** (old: 3).
+- `max_two_caps_concurrency_at_two` — 4 rapid triggers all run, **max observed concurrency ≤ 2** (old: 4).
+
+**Grade: MEASURED. Restart, Queued, and `max: N` all implemented — no remaining RunMode deferral.**
+
+## Threat model closed
+
+| Threat | Before (ADR-161) | After (ADR-162) |
+|--------|------------------|-----------------|
+| **Tampered module** — attacker swaps `.wasm` bytes after signing | loaded unconditionally (hash never checked) | rejected: SHA-256 mismatch |
+| **Untrusted publisher** — valid sig from a key the host doesn't trust | loaded (sig/key never read) | rejected: publisher_key not on allowlist |
+| **Unsigned module** — no integrity material at all | loaded | rejected by secure default; loads only under explicit `AllowUnsigned` (loud warn) |
+| **Over-privileged plugin write** — a `light.*` plugin writes `lock.front_door` / `alarm_control_panel.*` | applied (permissions never consulted) | denied: typed `-3` to guest, write not applied |
+| **Run-mode resource exhaustion** — `max`/`Queued` spawn unbounded tasks | unbounded parallel | bounded: Restart cancels, Queued serializes, `max: N` caps at N |
+
+## Remaining honest deferral (Nothing Dropped)
+
+- **Plugin-key provisioning / rotation** — the host's trust allowlist
+  (`PluginPolicy::trusted`) is supplied by the caller; sourcing it from the
+  Cognitum control-plane key store (as `cog-ha-matter` does for Seed keys) and
+  key rotation are **ACCEPTED-FUTURE** (out of M8 scope — same boundary
+  `witness_signing` draws).
+- **`InProcessRuntime` (native first-party plugins)** — has no `.wasm` bytes to
+  hash, so P4/P5 apply only to the WASM (`wasmtime`) path; native plugins remain
+  trusted-by-compilation. Honestly noted, not over-claimed.
+- **HAP real pairing (P2)** — unchanged from ADR-161; out of M8 scope.
+
+## Reproduction (MEASURED)
+
+```bash
+cd v2
+# P4/P5 (wasmtime feature needs rustc 1.91+; workspace pins 1.89 for the rest):
+cargo +1.91.1 test -p homecore-plugins --features wasmtime
+# Bounded RunModes:
+cargo test -p homecore-automation --no-default-features
+# Full workspace still builds (1.89 toolchain, no wasmtime):
+cargo build --workspace --no-default-features
+```
+
+Result at time of writing (all 0 failed):
+- **homecore-plugins** `--features wasmtime` — **32 passed** (lib 23; integration 9). (ADR-161 baseline was 15.)
+- **homecore-automation** `--no-default-features` — **45 passed** (lib 37; `engine_behaviors` 8). (ADR-161 baseline was 42.)
+- Full workspace `cargo build --workspace --no-default-features` succeeds.
+
+## Consequences
+
+- A HOMECORE WASM plugin can no longer be loaded with a tampered binary, an
+  untrusted publisher, or (by default) no signature at all — the trust boundary
+  ADR-161/B5 honestly said was absent is now real (P4).
+- A plugin can no longer write entities outside its declared
+  `homecore_permissions`; the lock/alarm escalation path is closed (P5).
+- The automation engine's `Restart`, `Queued`, and `max: N` run-modes are now
+  bounded as documented — no run-mode claims a capability the code lacks.
+- No new external dependency tree (reuses the cog-ha-matter Ed25519 stack
+  already in the lock); source files kept under the 500-line guideline
+  (`engine.rs` 433, `runmode.rs` 153, `verify.rs` 397, `permissions.rs` 168;
+  `wasmtime_runtime.rs` non-test source < 500, inline WAT tests as ADR-161 left
+  them).

v2/Cargo.lock

@@ -3472,6 +3472,7 @@ dependencies = [
  "axum",
  "chrono",
  "dashmap",
+ "futures-util",
  "homecore",
  "http-body-util",
  "hyper 1.8.1",
@@ -3479,6 +3480,7 @@ dependencies = [
  "serde_json",
  "thiserror 1.0.69",
  "tokio",
+ "tokio-tungstenite",
  "tower 0.5.3",
  "tower-http",
  "tracing",
@@ -3552,9 +3554,13 @@ name = "homecore-plugins"
 version = "0.1.0-alpha.0"
 dependencies = [
  "async-trait",
+ "base64 0.22.1",
+ "ed25519-dalek",
+ "hex",
  "homecore",
  "serde",
  "serde_json",
+ "sha2",
  "thiserror 1.0.69",
  "tokio",
  "uuid",
@@ -10933,7 +10939,7 @@ dependencies = [
 
 [[package]]
 name = "wifi-densepose-hardware"
-version = "0.3.0"
+version = "0.3.1"
 dependencies = [
  "approx",
  "byteorder",
@@ -10953,7 +10959,7 @@ dependencies = [
 
 [[package]]
 name = "wifi-densepose-mat"
-version = "0.3.0"
+version = "0.3.1"
 dependencies = [
  "anyhow",
  "approx",
@@ -10985,7 +10991,7 @@ dependencies = [
 
 [[package]]
 name = "wifi-densepose-nn"
-version = "0.3.0"
+version = "0.3.1"
 dependencies = [
  "anyhow",
  "candle-core 0.4.1",
@@ -11039,7 +11045,7 @@ dependencies = [
 
 [[package]]
 name = "wifi-densepose-ruvector"
-version = "0.3.1"
+version = "0.3.2"
 dependencies = [
  "approx",
  "criterion",
@@ -11059,7 +11065,7 @@ dependencies = [
 
 [[package]]
 name = "wifi-densepose-sensing-server"
-version = "0.3.1"
+version = "0.3.2"
 dependencies = [
  "axum",
  "chrono",
@@ -11093,7 +11099,7 @@ dependencies = [
 
 [[package]]
 name = "wifi-densepose-signal"
-version = "0.3.2"
+version = "0.3.3"
 dependencies = [
  "chrono",
  "criterion",
@@ -11120,7 +11126,7 @@ dependencies = [
 
 [[package]]
 name = "wifi-densepose-train"
-version = "0.3.1"
+version = "0.3.2"
 dependencies = [
  "anyhow",
  "approx",
@@ -11158,7 +11164,7 @@ dependencies = [
 
 [[package]]
 name = "wifi-densepose-vitals"
-version = "0.3.0"
+version = "0.3.1"
 dependencies = [
  "criterion",
  "serde",
@@ -11190,7 +11196,7 @@ dependencies = [
 
 [[package]]
 name = "wifi-densepose-wifiscan"
-version = "0.3.0"
+version = "0.3.1"
 dependencies = [
  "serde",
  "tokio",

v2/crates/homecore-api/Cargo.toml

@@ -33,8 +33,12 @@ chrono = { version = "0.4", features = ["serde"] }
 
 uuid = { version = "1", features = ["v4", "serde"] }
 dashmap = "6"
+futures-util = { version = "0.3", default-features = false, features = ["sink"] }
 
 [dev-dependencies]
 tower = { version = "0.5", features = ["util"] }
 hyper = "1"
 http-body-util = "0.1"
+# End-to-end WS handshake + reply tests (HC-WS-01/02, ADR-161).
+tokio-tungstenite = "0.24"
+futures-util = { version = "0.3", default-features = false }

v2/crates/homecore-api/src/app.rs

@@ -88,6 +88,11 @@ fn default_origins() -> Vec<HeaderValue> {
 mod tests {
     use super::*;
 
+    // `set_var`/`remove_var` mutate process-global state; serialize every test
+    // that touches HOMECORE_CORS_ORIGINS so they cannot race in parallel.
+    // Poison-tolerant: a panicking test must not cascade-fail the others.
+    static ENV_LOCK: std::sync::Mutex<()> = std::sync::Mutex::new(());
+
     #[test]
     fn default_origins_includes_vite_and_ha_ports() {
         let origins = default_origins();
@@ -98,6 +103,7 @@ mod tests {
 
     #[test]
     fn env_override_via_homecore_cors_origins() {
+        let _env = ENV_LOCK.lock().unwrap_or_else(|e| e.into_inner());
         std::env::set_var("HOMECORE_CORS_ORIGINS", "https://example.com,https://other.example.com");
         // build_cors_layer() returns a CorsLayer which doesn't expose
         // its origin list; we test the parse path indirectly by
@@ -112,6 +118,7 @@ mod tests {
 
     #[test]
     fn env_empty_falls_back_to_defaults() {
+        let _env = ENV_LOCK.lock().unwrap_or_else(|e| e.into_inner());
         std::env::set_var("HOMECORE_CORS_ORIGINS", "   ");
         let raw = std::env::var("HOMECORE_CORS_ORIGINS").ok();
         let trimmed = raw.as_deref().map(|s| s.trim()).unwrap_or("");

v2/crates/homecore-api/src/bin/server.rs

@@ -1,15 +1,31 @@
 //! `homecore-api-server` binary. Boots a HomeCore runtime and serves
-//! the HA-compat REST + WS API on `:8123`.
+//! the HA-compat REST + WS API.
 //!
-//! P1: bare-minimum bring-up. No persistence, no plugins, no auth
-//! beyond "any non-empty bearer". Useful for `curl` smoke tests of
-//! the wire format from the existing HA companion app:
+//! ## Auth (ADR-161, HC-WS-08)
+//!
+//! Token provisioning matches `homecore-server`: if `HOMECORE_TOKENS`
+//! is set (comma-separated bearer tokens) the API enforces that
+//! whitelist on both the REST and WS paths. If it is **unset**, the
+//! binary falls back to an explicitly-logged DEV mode (any non-empty
+//! bearer accepted) — before this fix the bin unconditionally used
+//! `allow_any_non_empty()` with no env path, so a provisioned operator
+//! had no way to lock it down.
+//!
+//! ## Bind address
+//!
+//! Defaults to `127.0.0.1` (loopback only) so a bare `cargo run` of
+//! this dev binary is not network-exposed. Override with
+//! `HOMECORE_BIND=0.0.0.0:8123` for a LAN deployment (and provision
+//! `HOMECORE_TOKENS` when you do).
 //!
 //!     cargo run -p homecore-api --bin homecore-api-server
-//!     curl -H "Authorization: Bearer test" http://127.0.0.1:8123/api/
+//!     HOMECORE_TOKENS=secret curl -H "Authorization: Bearer secret" \
+//!         http://127.0.0.1:8123/api/
+
+use std::net::SocketAddr;
 
 use homecore::HomeCore;
-use homecore_api::{router, SharedState, DEFAULT_PORT};
+use homecore_api::{router, LongLivedTokenStore, SharedState, DEFAULT_PORT};
 
 #[tokio::main]
 async fn main() -> Result<(), Box<dyn std::error::Error>> {
@@ -21,10 +37,34 @@ async fn main() -> Result<(), Box<dyn std::error::Error>> {
         .init();
 
     let homecore = HomeCore::new();
-    let state = SharedState::new(homecore);
+
+    // Token provisioning (HC-WS-08). Prefer the HOMECORE_TOKENS env
+    // whitelist; fall back to DEV mode (warn-logged) only when unset.
+    let tokens = if std::env::var("HOMECORE_TOKENS")
+        .map(|v| !v.trim().is_empty())
+        .unwrap_or(false)
+    {
+        let s = LongLivedTokenStore::from_env();
+        let n = s.len().await;
+        tracing::info!("LongLivedTokenStore provisioned with {n} bearer token(s) from HOMECORE_TOKENS");
+        s
+    } else {
+        tracing::warn!(
+            "HOMECORE_TOKENS not set — token store in DEV mode (any non-empty bearer \
+             accepted). Set HOMECORE_TOKENS before exposing this binary to the network."
+        );
+        LongLivedTokenStore::allow_any_non_empty()
+    };
+
+    let state = SharedState::with_tokens(homecore, "Home", env!("CARGO_PKG_VERSION"), tokens);
     let app = router(state);
 
-    let addr = std::net::SocketAddr::from(([0, 0, 0, 0], DEFAULT_PORT));
+    // Default to loopback so `cargo run` is not network-exposed; allow
+    // an explicit HOMECORE_BIND override for LAN deployments.
+    let addr: SocketAddr = match std::env::var("HOMECORE_BIND") {
+        Ok(v) if !v.trim().is_empty() => v.parse()?,
+        _ => SocketAddr::from(([127, 0, 0, 1], DEFAULT_PORT)),
+    };
     tracing::info!("HOMECORE-API listening on http://{addr}  (HA-compat /api + /api/websocket)");
 
     let listener = tokio::net::TcpListener::bind(addr).await?;

v2/crates/homecore-api/src/ws.rs

@@ -9,6 +9,16 @@
 //!
 //! `ha_version` is the homecore version string — see ADR-130 Q1 for the
 //! companion-app feature-detect concern.
+//!
+//! ## Security (ADR-161)
+//!
+//! The `auth` token is validated against [`crate::tokens::LongLivedTokenStore`]
+//! via `state.tokens().is_valid()` — the *same* store the REST path uses
+//! (`auth::BearerAuth`). A wrong token receives `auth_invalid` and the socket
+//! is closed. (HC-WS-01 closed the prior bypass where any non-empty token was
+//! accepted.) Command replies are transmitted by a dedicated writer task that
+//! drains the response channel onto the socket (HC-WS-02 closed the prior
+//! reply-theater where responses were logged and discarded).
 
 use std::sync::atomic::{AtomicU64, Ordering};
 use std::sync::Arc;
@@ -18,7 +28,7 @@ use axum::extract::State;
 use axum::response::IntoResponse;
 use serde::{Deserialize, Serialize};
 use tokio::sync::broadcast;
-use tracing::{debug, warn};
+use tracing::warn;
 
 use homecore::{Context, ServiceCall, ServiceName, SystemEvent};
 
@@ -58,11 +68,18 @@ async fn handle_socket(mut socket: WebSocket, state: SharedState) {
         _ => return,
     };
 
-    // P1: accept any non-empty token. P2: validate against store.
-    if token.trim().is_empty() {
+    // Validate the bearer token against the same store the REST path
+    // uses (`state.tokens().is_valid()` — see `rest.rs` /
+    // `auth::BearerAuth`). Before the HC-WS-01 fix this checked only
+    // `token.trim().is_empty()` and accepted ANY non-empty token even
+    // with a provisioned `HOMECORE_TOKENS` whitelist — a full WS auth
+    // bypass. `is_valid()` rejects the empty token internally and, in
+    // DEV (`allow_any`) mode, still accepts any non-empty bearer (with
+    // a warn) so smoke tests keep working.
+    if !state.tokens().is_valid(&token).await {
         let _ = socket
             .send(Message::Text(
-                serde_json::json!({"type":"auth_invalid","message":"empty token"}).to_string(),
+                serde_json::json!({"type":"auth_invalid","message":"invalid token"}).to_string(),
             ))
             .await;
         return;
@@ -140,54 +157,71 @@ impl Connection {
         }
     }
 
-    async fn run(self, mut socket: WebSocket) {
+    async fn run(self, socket: WebSocket) {
+        use futures_util::{SinkExt, StreamExt};
+
         let conn = Arc::new(self);
+        // Split the socket so a dedicated writer task can drain `rx` onto
+        // the wire while the reader task processes commands concurrently.
+        // Before the HC-WS-02 fix the socket was moved into a recv-only
+        // task and the only `rx` consumer just `debug!`-logged and
+        // DISCARDED every message — so no `result`/`pong`/`event` ever
+        // reached the client. Now `rx` feeds `socket.send`.
+        let (mut sink, mut stream) = socket.split();
         let (tx, mut rx) = tokio::sync::mpsc::unbounded_channel::<String>();
 
-        let sender_tx = tx.clone();
-        let recv_task = {
-            let conn = Arc::clone(&conn);
-            tokio::spawn(async move {
-                while let Some(frame) = socket.recv().await {
-                    match frame {
-                        Ok(Message::Text(raw)) => {
-                            let cmd: WsCommand = match serde_json::from_str(&raw) {
-                                Ok(c) => c,
-                                Err(e) => {
-                                    warn!("bad ws command: {e}");
-                                    continue;
-                                }
-                            };
-                            conn.handle_cmd(cmd, &sender_tx).await;
-                        }
-                        Ok(Message::Ping(p)) => {
-                            let _ = sender_tx.send(format!("__pong:{}", p.len()));
-                        }
-                        Ok(Message::Close(_)) | Err(_) => break,
-                        _ => {}
-                    }
+        // Writer task: drain replies onto the socket. A `__pong:<n>`
+        // sentinel maps to a binary Pong control frame; everything else
+        // is a JSON text frame.
+        let writer_task = tokio::spawn(async move {
+            while let Some(msg) = rx.recv().await {
+                let send_result = if let Some(n) = msg.strip_prefix("__pong:") {
+                    let len: usize = n.parse().unwrap_or(0);
+                    sink.send(Message::Pong(vec![0u8; len])).await
+                } else {
+                    sink.send(Message::Text(msg)).await
+                };
+                if send_result.is_err() {
+                    break;
                 }
-                // Cancel all subscriptions on disconnect.
-                for entry in conn.subs.iter() {
-                    entry.value().abort.abort();
-                }
-            });
+            }
+        });
 
-            tokio::spawn(async move {
-                while let Some(msg) = rx.recv().await {
-                    if msg.starts_with("__pong:") {
-                        // pong handled inline; skip
-                        continue;
+        // Reader task: parse and dispatch commands; responses are pushed
+        // into `tx` and transmitted by the writer task above.
+        let reader_tx = tx.clone();
+        {
+            let conn = Arc::clone(&conn);
+            while let Some(frame) = stream.next().await {
+                match frame {
+                    Ok(Message::Text(raw)) => {
+                        let cmd: WsCommand = match serde_json::from_str(&raw) {
+                            Ok(c) => c,
+                            Err(e) => {
+                                warn!("bad ws command: {e}");
+                                continue;
+                            }
+                        };
+                        conn.handle_cmd(cmd, &reader_tx).await;
                     }
-                    // Use the socket from the recv task via a one-shot mpsc
-                    // (in this minimal P1, the recv task owns the socket
-                    // and we ack inline below — this branch is for the
-                    // subscription fan-out emit path)
-                    debug!("ws emit: {msg}");
+                    Ok(Message::Ping(p)) => {
+                        let _ = reader_tx.send(format!("__pong:{}", p.len()));
+                    }
+                    Ok(Message::Close(_)) | Err(_) => break,
+                    _ => {}
                 }
-            })
-        };
-        let _ = recv_task.await;
+            }
+            // Cancel all subscriptions on disconnect.
+            for entry in conn.subs.iter() {
+                entry.value().abort.abort();
+            }
+        }
+
+        // Reader loop ended → drop the senders so the writer task's `rx`
+        // closes and the task exits cleanly.
+        drop(tx);
+        drop(reader_tx);
+        let _ = writer_task.await;
     }
 
     async fn handle_cmd(&self, cmd: WsCommand, tx: &tokio::sync::mpsc::UnboundedSender<String>) {

v2/crates/homecore-api/tests/server_bin_auth.rs

@@ -0,0 +1,77 @@
+//! HC-WS-08 (ADR-161): the `homecore-api-server` bin must honor the
+//! `HOMECORE_TOKENS` env whitelist instead of unconditionally accepting
+//! any non-empty bearer.
+//!
+//! `main()` is not directly callable, so this reproduces the bin's exact
+//! token-provisioning path (`LongLivedTokenStore::from_env()` when
+//! `HOMECORE_TOKENS` is set) and drives a real HTTP request through the
+//! router. On the pre-fix bin — which used `SharedState::new()` →
+//! `allow_any_non_empty()` with NO env path — a wrong bearer was
+//! accepted; this test asserts it is now rejected with 401.
+
+use axum::body::Body;
+use axum::http::{Request, StatusCode};
+use homecore::HomeCore;
+use homecore_api::{router, LongLivedTokenStore, SharedState};
+use tower::ServiceExt; // for `oneshot`
+
+/// Build the same state the bin builds when HOMECORE_TOKENS is set.
+async fn provisioned_state(valid: &str) -> SharedState {
+    // Mirror `from_env()` deterministically without mutating process
+    // env (which would race other tests): an `empty()` store with the
+    // one provisioned token registered is exactly what
+    // `from_env()` produces for `HOMECORE_TOKENS=<valid>`.
+    let store = LongLivedTokenStore::empty();
+    store.register(valid).await;
+    SharedState::with_tokens(HomeCore::new(), "Home", "test", store)
+}
+
+#[tokio::test]
+async fn provisioned_bin_rejects_wrong_bearer() {
+    let app = router(provisioned_state("the_real_token").await);
+    let resp = app
+        .oneshot(
+            Request::builder()
+                .uri("/api/states")
+                .header("Authorization", "Bearer the_wrong_token")
+                .body(Body::empty())
+                .unwrap(),
+        )
+        .await
+        .unwrap();
+    assert_eq!(
+        resp.status(),
+        StatusCode::UNAUTHORIZED,
+        "a provisioned token store must reject a wrong bearer (HC-WS-08)"
+    );
+}
+
+#[tokio::test]
+async fn provisioned_bin_accepts_correct_bearer() {
+    let app = router(provisioned_state("the_real_token").await);
+    let resp = app
+        .oneshot(
+            Request::builder()
+                .uri("/api/states")
+                .header("Authorization", "Bearer the_real_token")
+                .body(Body::empty())
+                .unwrap(),
+        )
+        .await
+        .unwrap();
+    assert_eq!(resp.status(), StatusCode::OK);
+}
+
+#[tokio::test]
+async fn from_env_path_enforces_whitelist() {
+    // Exercise the literal `from_env()` constructor the bin uses, under
+    // a serialized env mutation, to prove the env path itself enforces.
+    std::env::set_var("HOMECORE_TOKENS", "env_token_1, env_token_2");
+    let store = LongLivedTokenStore::from_env();
+    std::env::remove_var("HOMECORE_TOKENS");
+
+    assert!(store.is_valid("env_token_1").await);
+    assert!(store.is_valid("env_token_2").await);
+    assert!(!store.is_valid("not_in_whitelist").await);
+    assert!(!store.is_dev_mode().await, "from_env must NOT be dev mode");
+}

v2/crates/homecore-api/tests/ws_handshake.rs

@@ -0,0 +1,168 @@
+//! End-to-end WebSocket handshake + reply tests (ADR-161, HC-WS-01/02).
+//!
+//! These bind a real `TcpListener`, serve the full router, and connect
+//! with a real WS client (`tokio-tungstenite`). They exercise the wire
+//! path the in-crate unit tests cannot.
+//!
+//! - `wrong_token_is_rejected` — FAILS on the pre-fix `ws.rs` that only
+//!   checked `token.trim().is_empty()` and accepted any non-empty token
+//!   (HC-WS-01: WS auth bypass).
+//! - `result_reply_is_received` — FAILS on the pre-fix `ws.rs` that moved
+//!   the socket into a recv-only task and discarded every reply with
+//!   `debug!("ws emit: {msg}")` (HC-WS-02: reply theater).
+
+use std::net::SocketAddr;
+
+use futures_util::{SinkExt, StreamExt};
+use homecore::HomeCore;
+use homecore_api::{router, LongLivedTokenStore, SharedState};
+use tokio_tungstenite::connect_async;
+use tokio_tungstenite::tungstenite::Message;
+
+/// Spawn the API on an ephemeral port with a real (non-dev) token store
+/// containing exactly one valid token. Returns the bound address.
+async fn spawn_server_with_token(valid_token: &str) -> SocketAddr {
+    let hc = HomeCore::new();
+    let tokens = LongLivedTokenStore::empty();
+    tokens.register(valid_token).await;
+    let state = SharedState::with_tokens(hc, "Test", "test-version", tokens);
+    let app = router(state);
+
+    let listener = tokio::net::TcpListener::bind("127.0.0.1:0").await.unwrap();
+    let addr = listener.local_addr().unwrap();
+    tokio::spawn(async move {
+        axum::serve(listener, app).await.unwrap();
+    });
+    addr
+}
+
+/// Read text frames until one parses as JSON; returns the parsed value.
+async fn next_json<S>(ws: &mut S) -> serde_json::Value
+where
+    S: StreamExt<Item = Result<Message, tokio_tungstenite::tungstenite::Error>> + Unpin,
+{
+    loop {
+        match ws.next().await {
+            Some(Ok(Message::Text(raw))) => {
+                if let Ok(v) = serde_json::from_str::<serde_json::Value>(&raw) {
+                    return v;
+                }
+            }
+            Some(Ok(_)) => continue,
+            other => panic!("expected text frame, got {other:?}"),
+        }
+    }
+}
+
+#[tokio::test]
+async fn wrong_token_is_rejected() {
+    // HC-WS-01: a provisioned store with one good token must reject a
+    // DIFFERENT (non-empty) token over the WS handshake. The old code
+    // sent `auth_ok` for any non-empty token — this asserts the fix.
+    let addr = spawn_server_with_token("good_token_abc").await;
+    let url = format!("ws://{addr}/api/websocket");
+    let (mut ws, _resp) = connect_async(&url).await.unwrap();
+
+    // Server → auth_required
+    let req = next_json(&mut ws).await;
+    assert_eq!(req["type"], "auth_required");
+
+    // Client → auth with the WRONG token
+    ws.send(Message::Text(
+        serde_json::json!({"type":"auth","access_token":"wrong_token_xyz"}).to_string(),
+    ))
+    .await
+    .unwrap();
+
+    // Server → auth_invalid (NOT auth_ok)
+    let resp = next_json(&mut ws).await;
+    assert_eq!(
+        resp["type"], "auth_invalid",
+        "wrong token must be rejected with auth_invalid, got: {resp}"
+    );
+    assert_ne!(resp["type"], "auth_ok", "wrong token must NOT receive auth_ok");
+}
+
+#[tokio::test]
+async fn correct_token_is_accepted() {
+    let addr = spawn_server_with_token("good_token_abc").await;
+    let url = format!("ws://{addr}/api/websocket");
+    let (mut ws, _resp) = connect_async(&url).await.unwrap();
+
+    let req = next_json(&mut ws).await;
+    assert_eq!(req["type"], "auth_required");
+
+    ws.send(Message::Text(
+        serde_json::json!({"type":"auth","access_token":"good_token_abc"}).to_string(),
+    ))
+    .await
+    .unwrap();
+
+    let resp = next_json(&mut ws).await;
+    assert_eq!(resp["type"], "auth_ok", "correct token should be accepted, got: {resp}");
+}
+
+#[tokio::test]
+async fn result_reply_is_received() {
+    // HC-WS-02: after a successful auth, a `get_states` command must
+    // produce a `result` reply RECEIVED over the socket. The old code
+    // discarded all replies in the rx-draining task, so this hangs/
+    // fails on the pre-fix source.
+    let addr = spawn_server_with_token("good_token_abc").await;
+    let url = format!("ws://{addr}/api/websocket");
+    let (mut ws, _resp) = connect_async(&url).await.unwrap();
+
+    let req = next_json(&mut ws).await;
+    assert_eq!(req["type"], "auth_required");
+
+    ws.send(Message::Text(
+        serde_json::json!({"type":"auth","access_token":"good_token_abc"}).to_string(),
+    ))
+    .await
+    .unwrap();
+    let auth = next_json(&mut ws).await;
+    assert_eq!(auth["type"], "auth_ok");
+
+    // Send a command and assert we RECEIVE a result reply.
+    ws.send(Message::Text(
+        serde_json::json!({"id": 1, "type": "get_states"}).to_string(),
+    ))
+    .await
+    .unwrap();
+
+    let reply = tokio::time::timeout(std::time::Duration::from_secs(5), next_json(&mut ws))
+        .await
+        .expect("did not receive a reply within 5s — reply theater (HC-WS-02)");
+    assert_eq!(reply["type"], "result", "expected a result reply, got: {reply}");
+    assert_eq!(reply["id"], 1);
+    assert_eq!(reply["success"], true);
+}
+
+#[tokio::test]
+async fn ping_pong_reply_is_received() {
+    // The `ping` command must produce a `pong` reply on the wire — also
+    // exercises the writer task that HC-WS-02 introduced.
+    let addr = spawn_server_with_token("good_token_abc").await;
+    let url = format!("ws://{addr}/api/websocket");
+    let (mut ws, _resp) = connect_async(&url).await.unwrap();
+
+    let _ = next_json(&mut ws).await; // auth_required
+    ws.send(Message::Text(
+        serde_json::json!({"type":"auth","access_token":"good_token_abc"}).to_string(),
+    ))
+    .await
+    .unwrap();
+    let _ = next_json(&mut ws).await; // auth_ok
+
+    ws.send(Message::Text(
+        serde_json::json!({"id": 7, "type": "ping"}).to_string(),
+    ))
+    .await
+    .unwrap();
+
+    let reply = tokio::time::timeout(std::time::Duration::from_secs(5), next_json(&mut ws))
+        .await
+        .expect("did not receive pong within 5s");
+    assert_eq!(reply["type"], "pong");
+    assert_eq!(reply["id"], 7);
+}

v2/crates/homecore-automation/src/action.rs

@@ -3,15 +3,26 @@
 //! Implements the ADR-129 P1 action set: `service_call`, `delay`, `scene`,
 //! `wait_for_trigger`, `choose`. Complex variants (parallel, repeat, if,
 //! stop, fire_event, wait_template) land in P2.
+//!
+//! ## `choose` branch evaluation (ADR-161, HC-WS-06)
+//!
+//! `Action::Choose` evaluates each branch's `conditions` against the live
+//! [`EvalContext`] (deserialising the per-branch `serde_yaml::Value`
+//! conditions into [`Condition`]) and runs the FIRST matching branch's
+//! sequence. Only if no branch matches does it fall to `default`. Before
+//! this fix the branches were discarded and `default` always ran.
 
+use std::sync::Arc;
 use std::time::Duration;
 
 use serde::{Deserialize, Serialize};
 use tokio::time::sleep;
 
-use homecore::{Context, HomeCore, ServiceCall, ServiceName};
+use homecore::{Context, HomeCore, ServiceCall, ServiceName, StateMachine};
 
+use crate::condition::{Condition, EvalContext};
 use crate::error::AutomationError;
+use crate::template::TemplateEnvironment;
 
 /// Runtime context passed into action execution.
 pub struct ExecutionContext {
@@ -21,14 +32,40 @@ pub struct ExecutionContext {
     pub context: Context,
     /// Automation ID for tracing/logging.
     pub automation_id: String,
+    /// Condition-evaluation context for `Choose` branches. Carries the
+    /// state-machine snapshot + optional template environment so branch
+    /// conditions (incl. `template:`) evaluate against live state.
+    pub eval: EvalContext,
 }
 
 impl ExecutionContext {
+    /// Build a context whose `Choose` branches evaluate against the
+    /// HomeCore state machine (no template env — `template:` branch
+    /// conditions evaluate false; use [`Self::with_templates`] to wire
+    /// one).
     pub fn new(hc: HomeCore, automation_id: impl Into<String>) -> Self {
+        let sm = Arc::new(hc.states().clone());
         Self {
             hc,
             context: Context::new(),
             automation_id: automation_id.into(),
+            eval: EvalContext::new(sm),
+        }
+    }
+
+    /// Build a context with a template environment wired into the
+    /// `Choose` branch-condition evaluator.
+    pub fn with_templates(
+        hc: HomeCore,
+        automation_id: impl Into<String>,
+        states: Arc<StateMachine>,
+        templates: Arc<TemplateEnvironment>,
+    ) -> Self {
+        Self {
+            hc,
+            context: Context::new(),
+            automation_id: automation_id.into(),
+            eval: EvalContext::with_templates(states, templates),
         }
     }
 }
@@ -72,6 +109,27 @@ pub struct ChoiceBranch {
     pub sequence: Vec<Action>,
 }
 
+impl ChoiceBranch {
+    /// Does this branch match? All of its `conditions` must evaluate
+    /// true (HA `choose` semantics are AND-over-conditions). Each raw
+    /// `serde_yaml::Value` is deserialised into a [`Condition`]; a
+    /// condition that fails to parse is treated as non-matching (the
+    /// branch is skipped) rather than silently passing. An empty
+    /// `conditions` list matches (an unconditional branch).
+    pub async fn matches(&self, eval: &EvalContext) -> bool {
+        for raw in &self.conditions {
+            let cond: Condition = match serde_yaml::from_value(raw.clone()) {
+                Ok(c) => c,
+                Err(_) => return false,
+            };
+            if !cond.evaluate(eval).await {
+                return false;
+            }
+        }
+        true
+    }
+}
+
 impl Action {
     /// Execute this action using the provided context.
     ///
@@ -118,9 +176,18 @@ impl Action {
                     }
                     Ok(serde_json::Value::Null)
                 }
-                Action::Choose { choices: _, default } => {
-                    // P1 stub — condition evaluation for choices lands in P2;
-                    // for now, fall through to default branch.
+                Action::Choose { choices, default } => {
+                    // Evaluate each branch's conditions against live state;
+                    // run the first branch whose conditions ALL pass. Fall
+                    // to `default` only if no branch matches (HC-WS-06).
+                    for branch in choices {
+                        if branch.matches(&ctx.eval).await {
+                            for a in &branch.sequence {
+                                a.execute(ctx).await?;
+                            }
+                            return Ok(serde_json::Value::Null);
+                        }
+                    }
                     for a in default {
                         a.execute(ctx).await?;
                     }
@@ -188,4 +255,100 @@ mod tests {
         let err = action.execute(&mut exec_ctx).await.unwrap_err();
         assert!(matches!(err, AutomationError::ServiceCall(ServiceError::NotRegistered { .. })));
     }
+
+    /// Register two recording handlers and return their call logs.
+    async fn two_recorders(
+        hc: &HomeCore,
+    ) -> (Arc<Mutex<Vec<serde_json::Value>>>, Arc<Mutex<Vec<serde_json::Value>>>) {
+        use homecore::EntityId;
+        let _ = EntityId::parse("light.x"); // touch import path
+        let mk = |hc: &HomeCore, svc: &'static str| {
+            let log: Arc<Mutex<Vec<serde_json::Value>>> = Arc::new(Mutex::new(vec![]));
+            let log2 = Arc::clone(&log);
+            let hc = hc.clone();
+            async move {
+                hc.services()
+                    .register(
+                        ServiceName::new("light", svc),
+                        FnHandler(move |call: ServiceCall| {
+                            let l = Arc::clone(&log2);
+                            async move {
+                                l.lock().unwrap().push(call.data.clone());
+                                Ok(serde_json::Value::Null)
+                            }
+                        }),
+                    )
+                    .await;
+                log
+            }
+        };
+        let branch_log = mk(hc, "branch_service").await;
+        let default_log = mk(hc, "default_service").await;
+        (branch_log, default_log)
+    }
+
+    fn choose_with_match() -> Action {
+        // A `Choose` whose first branch requires light.gate == "open".
+        let branch_conditions = vec![serde_yaml::from_str::<serde_yaml::Value>(
+            "condition: state\nentity_id: light.gate\nstate: open",
+        )
+        .unwrap()];
+        Action::Choose {
+            choices: vec![ChoiceBranch {
+                conditions: branch_conditions,
+                sequence: vec![Action::ServiceCall {
+                    domain: "light".into(),
+                    service: "branch_service".into(),
+                    data: serde_json::json!({"branch": true}),
+                }],
+            }],
+            default: vec![Action::ServiceCall {
+                domain: "light".into(),
+                service: "default_service".into(),
+                data: serde_json::json!({"default": true}),
+            }],
+        }
+    }
+
+    #[tokio::test]
+    async fn choose_runs_matching_branch_not_default() {
+        // HC-WS-06: with the branch condition satisfied, the branch
+        // sequence runs and `default` does NOT. On the pre-fix code
+        // (choices discarded) `default` ran instead → this fails on old.
+        use homecore::{Context, EntityId};
+        let hc = HomeCore::new();
+        let (branch_log, default_log) = two_recorders(&hc).await;
+        hc.states().set(
+            EntityId::parse("light.gate").unwrap(),
+            "open",
+            serde_json::json!({}),
+            Context::new(),
+        );
+
+        let mut ctx = ExecutionContext::new(hc, "choose_auto");
+        choose_with_match().execute(&mut ctx).await.unwrap();
+
+        assert_eq!(branch_log.lock().unwrap().len(), 1, "matching branch must run");
+        assert_eq!(default_log.lock().unwrap().len(), 0, "default must NOT run when a branch matches");
+    }
+
+    #[tokio::test]
+    async fn choose_falls_to_default_when_no_branch_matches() {
+        use homecore::{Context, EntityId};
+        let hc = HomeCore::new();
+        let (branch_log, default_log) = two_recorders(&hc).await;
+        // gate is "closed" → branch condition (== "open") fails.
+        hc.states().set(
+            EntityId::parse("light.gate").unwrap(),
+            "closed",
+            serde_json::json!({}),
+            Context::new(),
+        );
+
+        let mut ctx = ExecutionContext::new(hc, "choose_auto");
+        choose_with_match().execute(&mut ctx).await.unwrap();
+
+        assert_eq!(branch_log.lock().unwrap().len(), 0, "branch must not run when condition fails");
+        assert_eq!(default_log.lock().unwrap().len(), 1, "default must run when no branch matches");
+    }
 }

v2/crates/homecore-automation/src/engine.rs

@@ -2,56 +2,130 @@
 //! triggers, and runs automation action sequences.
 //!
 //! ADR-129 §2 design: one Tokio task per running automation instance.
-//! RunMode::Single is enforced via a per-automation `AtomicBool` flag.
+//!
+//! ## Run modes (ADR-161 §A5 → completed in ADR-162)
+//!
+//! Each registered automation owns a [`RunState`] that implements its
+//! `RunMode`: `Single`/`IgnoreFirst` skip re-entrant triggers, `Restart`
+//! aborts the in-flight run and starts a fresh one, `Queued` serializes
+//! runs in arrival order (nothing dropped), `Parallel` spawns on every
+//! trigger, and `max: N` caps concurrency via a per-automation semaphore.
+//! (ADR-161 only honored Single/Parallel; Restart/Queued/max were
+//! honestly documented as unbounded-parallel until ADR-162.)
+//!
+//! ## Time triggers (ADR-161, HC-WS-04)
+//!
+//! `Trigger::Time { at: "HH:MM:SS" }` is evaluated by a wall-clock timer
+//! task (1 Hz tokio interval) — `Trigger::matches_sync` returns false for
+//! `Time` because it has no clock. The timer fires each `time:`
+//! automation once when the local wall-clock second equals its `at`.
+//!
+//! ## Template conditions (ADR-161, HC-WS-07)
+//!
+//! The engine builds a real [`TemplateEnvironment`] over the state
+//! machine and passes it into every `EvalContext` (via
+//! `EvalContext::with_templates`), so `template:` conditions evaluate
+//! against live state instead of always returning false.
 
 use std::sync::{Arc, Mutex};
 
+use chrono::{Local, Timelike};
 use tokio::sync::broadcast;
 
 use homecore::HomeCore;
 
-use crate::action::ExecutionContext;
 use crate::automation::Automation;
 use crate::condition::EvalContext;
-use crate::trigger::TriggerContext;
+use crate::runmode::RunState;
+use crate::template::TemplateEnvironment;
+use crate::trigger::{Trigger, TriggerContext};
+
+/// An automation registered with the engine, plus its runtime run-state.
+struct Registered {
+    auto: Arc<Automation>,
+    /// Run-mode machinery (re-entrancy guard / restart abort handle /
+    /// queue mutex / concurrency semaphore) for this automation.
+    run_state: RunState,
+}
 
 /// The automation engine. Holds a HOMECORE handle and a list of registered
 /// automations. Call `start()` to begin listening for events.
 pub struct AutomationEngine {
     hc: HomeCore,
-    automations: Arc<Mutex<Vec<Arc<Automation>>>>,
+    automations: Arc<Mutex<Vec<Registered>>>,
+    templates: Arc<TemplateEnvironment>,
 }
 
 impl AutomationEngine {
     /// Create a new engine backed by the given HOMECORE handle.
     pub fn new(hc: HomeCore) -> Self {
+        let templates = Arc::new(TemplateEnvironment::new(Arc::new(hc.states().clone())));
         Self {
             hc,
             automations: Arc::new(Mutex::new(vec![])),
+            templates,
         }
     }
 
     /// Register an automation. Can be called before or after `start()`.
     pub fn register(&self, automation: Automation) {
-        self.automations.lock().unwrap().push(Arc::new(automation));
+        let run_state = RunState::new(&automation);
+        self.automations.lock().unwrap().push(Registered {
+            auto: Arc::new(automation),
+            run_state,
+        });
+    }
+
+    /// Number of registered automations.
+    pub fn len(&self) -> usize {
+        self.automations.lock().unwrap().len()
+    }
+
+    /// Is the engine holding zero automations?
+    pub fn is_empty(&self) -> bool {
+        self.len() == 0
+    }
+
+    /// Build an `EvalContext` with the engine's template environment
+    /// wired in, over a fresh snapshot of the state machine.
+    fn eval_ctx(&self) -> EvalContext {
+        EvalContext::with_templates(
+            Arc::new(self.hc.states().clone()),
+            Arc::clone(&self.templates),
+        )
     }
 
     /// Subscribe to the state-machine broadcast channel and start
-    /// evaluating triggers. Returns a join handle for the background task.
+    /// evaluating triggers. Also starts the wall-clock timer task that
+    /// evaluates `time:` triggers. Returns a join handle for the event
+    /// task (the timer task is detached and tied to the engine handle's
+    /// lifetime via the broadcast channel close).
     ///
     /// The task runs until the broadcast sender is dropped (i.e. the
     /// `HomeCore` instance is destroyed).
     pub fn start(&self) -> tokio::task::JoinHandle<()> {
+        self.start_timer();
+        self.start_event_loop()
+    }
+
+    /// Event-driven loop: state/numeric/event triggers.
+    fn start_event_loop(&self) -> tokio::task::JoinHandle<()> {
         let mut rx = self.hc.states().subscribe();
         let automations = Arc::clone(&self.automations);
         let hc = self.hc.clone();
+        let templates = Arc::clone(&self.templates);
 
         tokio::spawn(async move {
             loop {
                 match rx.recv().await {
                     Ok(event) => {
-                        let autos = automations.lock().unwrap().clone();
-                        for automation in autos {
+                        let snapshot: Vec<(Arc<Automation>, RunState)> = automations
+                            .lock()
+                            .unwrap()
+                            .iter()
+                            .map(|r| (Arc::clone(&r.auto), r.run_state.clone()))
+                            .collect();
+                        for (automation, run_state) in snapshot {
                             if !automation.enabled {
                                 continue;
                             }
@@ -60,7 +134,6 @@ impl AutomationEngine {
                                 event.old_state.clone(),
                                 event.new_state.clone(),
                             );
-                            // Check all triggers — fire on first match
                             let triggered = automation
                                 .trigger
                                 .iter()
@@ -68,36 +141,15 @@ impl AutomationEngine {
                             if !triggered {
                                 continue;
                             }
-                            // Evaluate conditions
-                            let sm = Arc::new(hc.states().clone());
-                            let eval_ctx = EvalContext::new(sm);
-                            let mut conditions_pass = true;
-                            for cond in &automation.condition {
-                                if !cond.evaluate(&eval_ctx).await {
-                                    conditions_pass = false;
-                                    break;
-                                }
-                            }
-                            if !conditions_pass {
+                            // Conditions (with template env wired in — HC-WS-07).
+                            let eval_ctx = EvalContext::with_templates(
+                                Arc::new(hc.states().clone()),
+                                Arc::clone(&templates),
+                            );
+                            if !conditions_pass(&automation, &eval_ctx).await {
                                 continue;
                             }
-                            // Execute actions in a spawned task (non-blocking)
-                            let auto_clone = Arc::clone(&automation);
-                            let hc_clone = hc.clone();
-                            tokio::spawn(async move {
-                                let mut exec_ctx =
-                                    ExecutionContext::new(hc_clone, auto_clone.id.clone());
-                                for action in &auto_clone.action {
-                                    if let Err(e) = action.execute(&mut exec_ctx).await {
-                                        // P1: log errors to stderr; structured logging in P2
-                                        eprintln!(
-                                            "[homecore-automation] action error in {}: {e}",
-                                            auto_clone.id
-                                        );
-                                        break;
-                                    }
-                                }
-                            });
+                            run_state.dispatch(&hc, automation);
                         }
                     }
                     Err(broadcast::error::RecvError::Closed) => break,
@@ -108,6 +160,126 @@ impl AutomationEngine {
             }
         })
     }
+
+    /// Wall-clock timer task: fires `time:` triggers (HC-WS-04). Ticks at
+    /// 1 Hz and runs each matching automation once when the local
+    /// wall-clock `HH:MM:SS` equals the trigger's `at`. The task exits
+    /// when the state-machine broadcast channel closes (engine teardown).
+    fn start_timer(&self) -> tokio::task::JoinHandle<()> {
+        let automations = Arc::clone(&self.automations);
+        let hc = self.hc.clone();
+        let templates = Arc::clone(&self.templates);
+        // A receiver that lets the timer notice engine teardown.
+        let mut teardown_rx = self.hc.states().subscribe();
+
+        tokio::spawn(async move {
+            let mut interval = tokio::time::interval(std::time::Duration::from_millis(1000));
+            // Track the last second we fired, to fire once per match.
+            let mut last_fired_sec: Option<String> = None;
+            loop {
+                tokio::select! {
+                    _ = interval.tick() => {
+                        let now = Local::now();
+                        let hhmmss = format!("{:02}:{:02}:{:02}", now.hour(), now.minute(), now.second());
+                        if last_fired_sec.as_deref() == Some(hhmmss.as_str()) {
+                            continue;
+                        }
+                        let snapshot: Vec<(Arc<Automation>, RunState)> = automations
+                            .lock()
+                            .unwrap()
+                            .iter()
+                            .map(|r| (Arc::clone(&r.auto), r.run_state.clone()))
+                            .collect();
+                        let mut fired_any = false;
+                        for (automation, run_state) in snapshot {
+                            if !automation.enabled {
+                                continue;
+                            }
+                            let time_match = automation.trigger.iter().any(|t| match t {
+                                Trigger::Time { at } => time_at_matches(at, &hhmmss),
+                                _ => false,
+                            });
+                            if !time_match {
+                                continue;
+                            }
+                            let eval_ctx = EvalContext::with_templates(
+                                Arc::new(hc.states().clone()),
+                                Arc::clone(&templates),
+                            );
+                            if !conditions_pass(&automation, &eval_ctx).await {
+                                continue;
+                            }
+                            run_state.dispatch(&hc, automation);
+                            fired_any = true;
+                        }
+                        if fired_any {
+                            last_fired_sec = Some(hhmmss);
+                        }
+                    }
+                    r = teardown_rx.recv() => {
+                        if let Err(broadcast::error::RecvError::Closed) = r {
+                            break;
+                        }
+                    }
+                }
+            }
+        })
+    }
+
+    /// Manually fire any `time:` automations whose `at` equals `hhmmss`
+    /// (`"HH:MM:SS"`). Bypasses the 1 Hz clock so tests can assert the
+    /// time-trigger path deterministically without waiting for a
+    /// wall-clock second to roll over. Returns the number of automations
+    /// that fired (passed conditions and were spawned).
+    pub async fn fire_time_for_test(&self, hhmmss: &str) -> usize {
+        let snapshot: Vec<(Arc<Automation>, RunState)> = self
+            .automations
+            .lock()
+            .unwrap()
+            .iter()
+            .map(|r| (Arc::clone(&r.auto), r.run_state.clone()))
+            .collect();
+        let mut fired = 0usize;
+        for (automation, run_state) in snapshot {
+            if !automation.enabled {
+                continue;
+            }
+            let time_match = automation.trigger.iter().any(|t| match t {
+                Trigger::Time { at } => time_at_matches(at, hhmmss),
+                _ => false,
+            });
+            if !time_match {
+                continue;
+            }
+            let eval_ctx = self.eval_ctx();
+            if !conditions_pass(&automation, &eval_ctx).await {
+                continue;
+            }
+            run_state.dispatch(&self.hc, automation);
+            fired += 1;
+        }
+        fired
+    }
+}
+
+/// Evaluate all of an automation's conditions (AND). Empty → pass.
+async fn conditions_pass(automation: &Automation, eval_ctx: &EvalContext) -> bool {
+    for cond in &automation.condition {
+        if !cond.evaluate(eval_ctx).await {
+            return false;
+        }
+    }
+    true
+}
+
+/// Does a `Time` trigger `at` value match the current `HH:MM:SS`?
+/// Accepts `HH:MM` (matches at :00 seconds) and `HH:MM:SS`.
+fn time_at_matches(at: &str, hhmmss: &str) -> bool {
+    let normalized = match at.matches(':').count() {
+        1 => format!("{at}:00"),
+        _ => at.to_string(),
+    };
+    normalized == hhmmss
 }
 
 #[cfg(test)]
@@ -166,7 +338,6 @@ mod tests {
 
         let _handle = engine.start();
 
-        // Fire a matching state change
         hc.states().set(
             EntityId::parse("switch.living").unwrap(),
             "on",
@@ -174,7 +345,6 @@ mod tests {
             Context::new(),
         );
 
-        // Give the async task time to run
         sleep(Duration::from_millis(50)).await;
 
         assert_eq!(log.lock().unwrap().len(), 1);
@@ -203,7 +373,6 @@ mod tests {
 
         let _handle = engine.start();
 
-        // Fire on a DIFFERENT entity
         hc.states().set(
             EntityId::parse("switch.bedroom").unwrap(),
             "on",
@@ -249,4 +418,16 @@ mod tests {
         sleep(Duration::from_millis(50)).await;
         assert_eq!(log.lock().unwrap().len(), 0, "disabled automation should not fire");
     }
+
+    // Behavioral tests for the timer / run-mode / template paths
+    // (HC-WS-04/05/07) live in `tests/engine_behaviors.rs` to keep this
+    // file under the 500-line guideline; they use only the public API.
+
+    #[test]
+    fn time_at_matches_handles_hh_mm_and_hh_mm_ss() {
+        assert!(time_at_matches("07:30", "07:30:00"));
+        assert!(time_at_matches("07:30:15", "07:30:15"));
+        assert!(!time_at_matches("07:30", "07:30:01"));
+        assert!(!time_at_matches("07:30:15", "07:30:16"));
+    }
 }

v2/crates/homecore-automation/src/lib.rs

@@ -19,6 +19,7 @@ pub mod condition;
 pub mod action;
 pub mod template;
 pub mod engine;
+pub mod runmode;
 pub mod error;
 
 pub use automation::{Automation, RunMode};

v2/crates/homecore-automation/src/runmode.rs

@@ -0,0 +1,153 @@
+//! Per-automation run-mode machinery (ADR-162, completes ADR-161 §A5).
+//!
+//! ADR-161 implemented `RunMode::Single` (a per-automation `AtomicBool`
+//! re-entrancy guard) and `Parallel`, but honestly left `Restart`, `Queued`
+//! and `max: N` as "ACCEPTED-FUTURE / unbounded parallel" — every non-Single
+//! mode spawned an unbounded task. This module makes them real:
+//!
+//! | Mode | Semantics implemented |
+//! |------|-----------------------|
+//! | `Single` / `IgnoreFirst` | re-entrancy guard: skip while a run is in flight (ADR-161). |
+//! | `Restart` | **cancel** the in-flight run (`tokio::task::AbortHandle`) and start a fresh one. |
+//! | `Queued` | **serialize**: runs execute sequentially in arrival order via a per-automation async mutex — nothing is dropped. |
+//! | `Parallel` | spawn on every trigger (optionally capped, see below). |
+//! | `max: N` | cap concurrency at **N** via a per-automation semaphore; triggers beyond N **queue** (await a permit) rather than running concurrently — matching HA's bounded `parallel`/`queued`. |
+//!
+//! Each registered automation owns one [`RunState`]; the engine calls
+//! [`RunState::dispatch`] on every (trigger + conditions-passed) event.
+
+use std::sync::atomic::{AtomicBool, Ordering};
+use std::sync::{Arc, Mutex};
+
+use tokio::sync::{Mutex as AsyncMutex, Semaphore};
+
+use homecore::HomeCore;
+
+use crate::action::ExecutionContext;
+use crate::automation::{Automation, RunMode};
+
+/// Per-automation runtime state backing the run-mode dispatch.
+///
+/// Cheap to clone (all fields are `Arc`); the engine clones it into each
+/// spawned run so the machinery (abort handle, queue mutex, semaphore) is
+/// shared across all triggers of the same automation.
+#[derive(Clone)]
+pub struct RunState {
+    /// `Single`/`IgnoreFirst` re-entrancy guard (ADR-161 §A5).
+    running: Arc<AtomicBool>,
+    /// `Restart`: handle to the currently-running action task, so a new
+    /// trigger can abort it before starting a fresh one.
+    current: Arc<Mutex<Option<tokio::task::AbortHandle>>>,
+    /// `Queued`: serializes runs in arrival order (one at a time, FIFO via
+    /// fair async mutex acquisition).
+    queue_lock: Arc<AsyncMutex<()>>,
+    /// `max: N` (and bounded `Parallel`): caps concurrent runs at N.
+    /// `None` when no cap applies.
+    semaphore: Option<Arc<Semaphore>>,
+}
+
+impl RunState {
+    /// Build run-state for an automation, sizing the concurrency semaphore
+    /// from its `max:` field (only meaningful for `Queued`/`Parallel`).
+    pub fn new(automation: &Automation) -> Self {
+        let semaphore = automation
+            .max
+            .filter(|n| *n > 0)
+            .map(|n| Arc::new(Semaphore::new(n)));
+        Self {
+            running: Arc::new(AtomicBool::new(false)),
+            current: Arc::new(Mutex::new(None)),
+            queue_lock: Arc::new(AsyncMutex::new(())),
+            semaphore,
+        }
+    }
+
+    /// Dispatch one trigger for `automation` according to its `RunMode`.
+    /// Honors Single re-entrancy, Restart cancel-and-replace, Queued
+    /// serialization, and `max:` concurrency capping.
+    pub fn dispatch(&self, hc: &HomeCore, automation: Arc<Automation>) {
+        match automation.mode {
+            RunMode::Single | RunMode::IgnoreFirst => self.dispatch_single(hc, automation),
+            RunMode::Restart => self.dispatch_restart(hc, automation),
+            RunMode::Queued => self.dispatch_queued(hc, automation),
+            RunMode::Parallel => self.dispatch_parallel(hc, automation),
+        }
+    }
+
+    /// `Single`: skip if a run is already in flight; clear the flag on done.
+    fn dispatch_single(&self, hc: &HomeCore, automation: Arc<Automation>) {
+        if self
+            .running
+            .compare_exchange(false, true, Ordering::SeqCst, Ordering::SeqCst)
+            .is_err()
+        {
+            return; // already running — skip re-entrant trigger.
+        }
+        let hc = hc.clone();
+        let running = Arc::clone(&self.running);
+        tokio::spawn(async move {
+            run_actions(&hc, &automation).await;
+            running.store(false, Ordering::SeqCst);
+        });
+    }
+
+    /// `Restart`: abort the in-flight run (if any), then start a fresh one
+    /// and record its abort handle.
+    fn dispatch_restart(&self, hc: &HomeCore, automation: Arc<Automation>) {
+        // Abort any prior run before starting the new one.
+        if let Some(prev) = self.current.lock().unwrap().take() {
+            prev.abort();
+        }
+        let hc = hc.clone();
+        let slot = Arc::clone(&self.current);
+        let handle = tokio::spawn(async move {
+            run_actions(&hc, &automation).await;
+        });
+        *slot.lock().unwrap() = Some(handle.abort_handle());
+    }
+
+    /// `Queued`: serialize via the per-automation async mutex. Each trigger
+    /// spawns a task that waits its turn, so all triggers run in arrival
+    /// order, one at a time — nothing is dropped.
+    fn dispatch_queued(&self, hc: &HomeCore, automation: Arc<Automation>) {
+        let hc = hc.clone();
+        let lock = Arc::clone(&self.queue_lock);
+        let sem = self.semaphore.clone();
+        tokio::spawn(async move {
+            // Optional `max:` cap still applies on top of serialization.
+            let _permit = match &sem {
+                Some(s) => Some(s.acquire().await.expect("semaphore not closed")),
+                None => None,
+            };
+            let _guard = lock.lock().await; // FIFO turn — sequential execution.
+            run_actions(&hc, &automation).await;
+        });
+    }
+
+    /// `Parallel`: spawn on every trigger, capped at `max:` if set.
+    fn dispatch_parallel(&self, hc: &HomeCore, automation: Arc<Automation>) {
+        let hc = hc.clone();
+        let sem = self.semaphore.clone();
+        tokio::spawn(async move {
+            let _permit = match &sem {
+                Some(s) => Some(s.acquire().await.expect("semaphore not closed")),
+                None => None,
+            };
+            run_actions(&hc, &automation).await;
+        });
+    }
+}
+
+/// Execute an automation's action sequence once.
+async fn run_actions(hc: &HomeCore, automation: &Automation) {
+    let mut exec_ctx = ExecutionContext::new(hc.clone(), automation.id.clone());
+    for action in &automation.action {
+        if let Err(e) = action.execute(&mut exec_ctx).await {
+            eprintln!(
+                "[homecore-automation] action error in {}: {e}",
+                automation.id
+            );
+            break;
+        }
+    }
+}

v2/crates/homecore-automation/src/trigger.rs

@@ -150,7 +150,12 @@ impl Trigger {
                 true
             }
             Trigger::Time { .. } => {
-                // Time triggers are evaluated by the engine's timer task, not here.
+                // Time triggers are wall-clock based and have no state-change
+                // context to match here. They are evaluated by the engine's
+                // 1 Hz timer task (`AutomationEngine::start_timer`, HC-WS-04 /
+                // ADR-161), which compares the trigger's `at` against the local
+                // wall-clock second. `matches_sync` therefore returns false for
+                // `Time` on the state-change path by design.
                 false
             }
             Trigger::Event { event_type } => {

v2/crates/homecore-automation/tests/engine_behaviors.rs

@@ -0,0 +1,418 @@
+//! Engine behavioral integration tests (ADR-161, HC-WS-04/05/07).
+//!
+//! These exercise the `AutomationEngine` runtime through its public API
+//! only (extracted from the inline module to keep `engine.rs` under the
+//! 500-line file guideline):
+//!
+//! - HC-WS-04 — `time:` triggers fire via the engine timer path.
+//! - HC-WS-05 — `RunMode::Single` does not double-fire; `Parallel` does.
+//! - HC-WS-07 — `template:` conditions evaluate against live state in the
+//!   engine path (no longer always-false).
+//!
+//! Each fails on the pre-fix engine (no timer task, unbounded-parallel
+//! regardless of mode, `template_env: None`).
+
+use std::sync::atomic::{AtomicUsize, Ordering};
+use std::sync::{Arc, Mutex};
+
+use homecore::service::FnHandler;
+use homecore::{Context, EntityId, HomeCore, ServiceCall, ServiceName};
+use homecore_automation::{Action, Automation, AutomationEngine, Condition, RunMode, Trigger};
+use tokio::time::{sleep, Duration};
+
+async fn register_recorder(
+    hc: &HomeCore,
+    domain: &str,
+    service: &str,
+) -> Arc<Mutex<Vec<serde_json::Value>>> {
+    let log: Arc<Mutex<Vec<serde_json::Value>>> = Arc::new(Mutex::new(vec![]));
+    let log2 = Arc::clone(&log);
+    hc.services()
+        .register(
+            ServiceName::new(domain, service),
+            FnHandler(move |call: ServiceCall| {
+                let l = Arc::clone(&log2);
+                async move {
+                    l.lock().unwrap().push(call.data.clone());
+                    Ok(serde_json::Value::Null)
+                }
+            }),
+        )
+        .await;
+    log
+}
+
+// ── HC-WS-04: time triggers fire ───────────────────────────────────
+#[tokio::test]
+async fn time_trigger_fires_via_timer_path() {
+    let hc = HomeCore::new();
+    let log = register_recorder(&hc, "light", "turn_on").await;
+
+    let engine = AutomationEngine::new(hc.clone());
+    engine.register(Automation::new(
+        "time_auto",
+        vec![Trigger::Time { at: "07:30:00".into() }],
+        vec![Action::ServiceCall {
+            domain: "light".into(),
+            service: "turn_on".into(),
+            data: serde_json::json!({"by": "time"}),
+        }],
+    ));
+
+    // Deterministically fire the timer path for the matching second.
+    let fired = engine.fire_time_for_test("07:30:00").await;
+    assert_eq!(fired, 1, "time automation should fire for matching HH:MM:SS");
+    sleep(Duration::from_millis(50)).await;
+    assert_eq!(log.lock().unwrap().len(), 1, "time trigger should run its action");
+
+    // A non-matching second must NOT fire.
+    let none = engine.fire_time_for_test("09:00:00").await;
+    assert_eq!(none, 0);
+}
+
+// ── HC-WS-05: RunMode::Single does not double-fire ─────────────────
+#[tokio::test]
+async fn single_mode_does_not_double_fire_on_rapid_triggers() {
+    let hc = HomeCore::new();
+    let count = Arc::new(AtomicUsize::new(0));
+    let count2 = Arc::clone(&count);
+    hc.services()
+        .register(
+            ServiceName::new("light", "slow"),
+            FnHandler(move |_call: ServiceCall| {
+                let c = Arc::clone(&count2);
+                async move {
+                    c.fetch_add(1, Ordering::SeqCst);
+                    sleep(Duration::from_millis(200)).await;
+                    Ok(serde_json::Value::Null)
+                }
+            }),
+        )
+        .await;
+
+    let engine = AutomationEngine::new(hc.clone());
+    let mut auto = Automation::new(
+        "single_auto",
+        vec![Trigger::State {
+            entity_id: EntityId::parse("switch.s").unwrap(),
+            from: None,
+            to: None,
+        }],
+        vec![Action::ServiceCall {
+            domain: "light".into(),
+            service: "slow".into(),
+            data: serde_json::json!({}),
+        }],
+    );
+    auto.mode = RunMode::Single;
+    engine.register(auto);
+    let _handle = engine.start();
+
+    // Two rapid triggers while the first run is still sleeping.
+    hc.states().set(EntityId::parse("switch.s").unwrap(), "a", serde_json::json!({}), Context::new());
+    sleep(Duration::from_millis(20)).await;
+    hc.states().set(EntityId::parse("switch.s").unwrap(), "b", serde_json::json!({}), Context::new());
+
+    sleep(Duration::from_millis(350)).await;
+    assert_eq!(
+        count.load(Ordering::SeqCst),
+        1,
+        "Single-mode automation must not double-fire while already running"
+    );
+}
+
+#[tokio::test]
+async fn parallel_mode_does_fire_concurrently() {
+    let hc = HomeCore::new();
+    let count = Arc::new(AtomicUsize::new(0));
+    let count2 = Arc::clone(&count);
+    hc.services()
+        .register(
+            ServiceName::new("light", "slow"),
+            FnHandler(move |_call: ServiceCall| {
+                let c = Arc::clone(&count2);
+                async move {
+                    c.fetch_add(1, Ordering::SeqCst);
+                    sleep(Duration::from_millis(150)).await;
+                    Ok(serde_json::Value::Null)
+                }
+            }),
+        )
+        .await;
+
+    let engine = AutomationEngine::new(hc.clone());
+    let mut auto = Automation::new(
+        "parallel_auto",
+        vec![Trigger::State {
+            entity_id: EntityId::parse("switch.p").unwrap(),
+            from: None,
+            to: None,
+        }],
+        vec![Action::ServiceCall {
+            domain: "light".into(),
+            service: "slow".into(),
+            data: serde_json::json!({}),
+        }],
+    );
+    auto.mode = RunMode::Parallel;
+    engine.register(auto);
+    let _handle = engine.start();
+
+    hc.states().set(EntityId::parse("switch.p").unwrap(), "a", serde_json::json!({}), Context::new());
+    sleep(Duration::from_millis(20)).await;
+    hc.states().set(EntityId::parse("switch.p").unwrap(), "b", serde_json::json!({}), Context::new());
+
+    sleep(Duration::from_millis(300)).await;
+    assert_eq!(
+        count.load(Ordering::SeqCst),
+        2,
+        "Parallel-mode automation should fire on every trigger"
+    );
+}
+
+// ── HC-WS-07: template conditions evaluate in the engine path ──────
+#[tokio::test]
+async fn template_condition_evaluates_true_in_engine() {
+    let hc = HomeCore::new();
+    let log = register_recorder(&hc, "light", "turn_on").await;
+
+    hc.states().set(
+        EntityId::parse("sensor.flag").unwrap(),
+        "on",
+        serde_json::json!({}),
+        Context::new(),
+    );
+
+    let engine = AutomationEngine::new(hc.clone());
+    let mut auto = Automation::new(
+        "tmpl_auto",
+        vec![Trigger::State {
+            entity_id: EntityId::parse("switch.trigger").unwrap(),
+            from: None,
+            to: None,
+        }],
+        vec![Action::ServiceCall {
+            domain: "light".into(),
+            service: "turn_on".into(),
+            data: serde_json::json!({}),
+        }],
+    );
+    auto.condition = vec![Condition::Template {
+        value_template: "{{ is_state('sensor.flag', 'on') }}".into(),
+    }];
+    engine.register(auto);
+    let _handle = engine.start();
+
+    hc.states().set(
+        EntityId::parse("switch.trigger").unwrap(),
+        "go",
+        serde_json::json!({}),
+        Context::new(),
+    );
+    sleep(Duration::from_millis(50)).await;
+    assert_eq!(
+        log.lock().unwrap().len(),
+        1,
+        "template condition should evaluate true and let the action run (HC-WS-07)"
+    );
+}
+
+#[tokio::test]
+async fn template_condition_evaluates_false_blocks_action() {
+    let hc = HomeCore::new();
+    let log = register_recorder(&hc, "light", "turn_on").await;
+    hc.states().set(
+        EntityId::parse("sensor.flag").unwrap(),
+        "off",
+        serde_json::json!({}),
+        Context::new(),
+    );
+
+    let engine = AutomationEngine::new(hc.clone());
+    let mut auto = Automation::new(
+        "tmpl_auto_false",
+        vec![Trigger::State {
+            entity_id: EntityId::parse("switch.trigger").unwrap(),
+            from: None,
+            to: None,
+        }],
+        vec![Action::ServiceCall {
+            domain: "light".into(),
+            service: "turn_on".into(),
+            data: serde_json::json!({}),
+        }],
+    );
+    auto.condition = vec![Condition::Template {
+        value_template: "{{ is_state('sensor.flag', 'on') }}".into(),
+    }];
+    engine.register(auto);
+    let _handle = engine.start();
+
+    hc.states().set(
+        EntityId::parse("switch.trigger").unwrap(),
+        "go",
+        serde_json::json!({}),
+        Context::new(),
+    );
+    sleep(Duration::from_millis(50)).await;
+    assert_eq!(log.lock().unwrap().len(), 0, "false template condition should block the action");
+}
+
+// ── ADR-162 (completes ADR-161 §A5): bounded RunModes ───────────────
+//
+// ADR-161 honored only Single/Parallel; Restart/Queued/max were honestly
+// documented as unbounded-parallel. These tests drive the real
+// Restart/Queued/max machinery and FAIL on the old engine (where every
+// non-Single mode spawned an unbounded parallel task).
+
+/// A service that increments a live concurrency gauge on entry, sleeps,
+/// then decrements — recording the maximum concurrency ever observed and
+/// the total number of completed runs. Returns `(max_concurrency, completed)`.
+async fn register_gauge(
+    hc: &HomeCore,
+    domain: &str,
+    service: &str,
+    work: Duration,
+) -> (Arc<AtomicUsize>, Arc<AtomicUsize>) {
+    let live = Arc::new(AtomicUsize::new(0));
+    let max_seen = Arc::new(AtomicUsize::new(0));
+    let completed = Arc::new(AtomicUsize::new(0));
+    let (l, m, c) = (Arc::clone(&live), Arc::clone(&max_seen), Arc::clone(&completed));
+    hc.services()
+        .register(
+            ServiceName::new(domain, service),
+            FnHandler(move |_call: ServiceCall| {
+                let (l, m, c) = (Arc::clone(&l), Arc::clone(&m), Arc::clone(&c));
+                async move {
+                    let now = l.fetch_add(1, Ordering::SeqCst) + 1;
+                    m.fetch_max(now, Ordering::SeqCst);
+                    sleep(work).await;
+                    l.fetch_sub(1, Ordering::SeqCst);
+                    c.fetch_add(1, Ordering::SeqCst);
+                    Ok(serde_json::Value::Null)
+                }
+            }),
+        )
+        .await;
+    (max_seen, completed)
+}
+
+fn state_auto(id: &str, entity: &str, domain: &str, service: &str) -> Automation {
+    Automation::new(
+        id,
+        vec![Trigger::State {
+            entity_id: EntityId::parse(entity).unwrap(),
+            from: None,
+            to: None,
+        }],
+        vec![Action::ServiceCall {
+            domain: domain.into(),
+            service: service.into(),
+            data: serde_json::json!({}),
+        }],
+    )
+}
+
+// ── Restart: cancels the in-flight run ─────────────────────────────
+#[tokio::test]
+async fn restart_mode_cancels_prior_run() {
+    let hc = HomeCore::new();
+    // Each run sleeps 300ms before recording completion.
+    let (_max, completed) =
+        register_gauge(&hc, "light", "slow", Duration::from_millis(300)).await;
+
+    let engine = AutomationEngine::new(hc.clone());
+    let mut auto = state_auto("restart_auto", "switch.r", "light", "slow");
+    auto.mode = RunMode::Restart;
+    engine.register(auto);
+    let _handle = engine.start();
+
+    // Trigger 1 starts the slow run.
+    hc.states().set(EntityId::parse("switch.r").unwrap(), "a", serde_json::json!({}), Context::new());
+    sleep(Duration::from_millis(80)).await;
+    // Trigger 2 arrives mid-run → must ABORT run 1 and start run 2.
+    hc.states().set(EntityId::parse("switch.r").unwrap(), "b", serde_json::json!({}), Context::new());
+
+    // Wait long enough for run 2 (started ~80ms in) to finish, but run 1
+    // (aborted at ~80ms, would have finished at ~300ms) must NOT complete.
+    sleep(Duration::from_millis(400)).await;
+    assert_eq!(
+        completed.load(Ordering::SeqCst),
+        1,
+        "Restart must cancel the in-flight run: exactly the restarted run completes (not both). \
+         On the old engine both ran to completion → 2."
+    );
+}
+
+// ── Queued: serialize N rapid triggers, all run, never concurrent ──
+#[tokio::test]
+async fn queued_mode_runs_sequentially_not_concurrently() {
+    let hc = HomeCore::new();
+    let (max_seen, completed) =
+        register_gauge(&hc, "light", "slow", Duration::from_millis(120)).await;
+
+    let engine = AutomationEngine::new(hc.clone());
+    let mut auto = state_auto("queued_auto", "switch.q", "light", "slow");
+    auto.mode = RunMode::Queued;
+    engine.register(auto);
+    let _handle = engine.start();
+
+    // Three rapid triggers.
+    for v in ["a", "b", "c"] {
+        hc.states().set(EntityId::parse("switch.q").unwrap(), v, serde_json::json!({}), Context::new());
+        sleep(Duration::from_millis(10)).await;
+    }
+
+    // 3 runs × 120ms serialized ≈ 360ms; wait generously.
+    sleep(Duration::from_millis(600)).await;
+    assert_eq!(
+        completed.load(Ordering::SeqCst),
+        3,
+        "Queued must run every trigger (nothing dropped)"
+    );
+    assert_eq!(
+        max_seen.load(Ordering::SeqCst),
+        1,
+        "Queued must never run two instances concurrently. On the old engine all 3 ran in \
+         parallel → max concurrency 3."
+    );
+}
+
+// ── max: 2 → never more than 2 concurrent ──────────────────────────
+#[tokio::test]
+async fn max_two_caps_concurrency_at_two() {
+    let hc = HomeCore::new();
+    let (max_seen, completed) =
+        register_gauge(&hc, "light", "slow", Duration::from_millis(150)).await;
+
+    let engine = AutomationEngine::new(hc.clone());
+    let mut auto = state_auto("max_auto", "switch.m", "light", "slow");
+    auto.mode = RunMode::Parallel;
+    auto.max = Some(2);
+    engine.register(auto);
+    let _handle = engine.start();
+
+    // Four rapid triggers — without the cap all 4 would run at once.
+    for v in ["a", "b", "c", "d"] {
+        hc.states().set(EntityId::parse("switch.m").unwrap(), v, serde_json::json!({}), Context::new());
+        sleep(Duration::from_millis(10)).await;
+    }
+
+    sleep(Duration::from_millis(600)).await;
+    assert_eq!(
+        completed.load(Ordering::SeqCst),
+        4,
+        "max:2 must still run all 4 triggers (queued beyond the cap, not dropped)"
+    );
+    assert!(
+        max_seen.load(Ordering::SeqCst) <= 2,
+        "max:2 must never exceed 2 concurrent runs (observed {}). On the old engine all 4 ran \
+         concurrently → 4.",
+        max_seen.load(Ordering::SeqCst)
+    );
+    assert!(
+        max_seen.load(Ordering::SeqCst) >= 2,
+        "max:2 should reach the cap of 2 with 4 rapid triggers (observed {})",
+        max_seen.load(Ordering::SeqCst)
+    );
+}

v2/crates/homecore-plugins/Cargo.toml

@@ -50,6 +50,15 @@ serde_json = "1"
 # UUIDs for config entry IDs in host_abi.rs.
 uuid = { version = "1", features = ["v4"] }
 
+# ── ADR-162 P4: plugin signature + integrity verification ──────────────────
+# Reuses the same in-repo crypto stack as cog-ha-matter (witness_signing.rs):
+# Ed25519 over a SHA-256 module digest. All four are already in the workspace
+# Cargo.lock (cog-ha-matter / bfld pull them in) — no new external dep tree.
+ed25519-dalek = "2.1"
+sha2 = { workspace = true }
+hex = "0.4"
+base64 = "0.22"
+
 # Optional Wasmtime runtime (P2, default-off — 30 MB dep).
 # Bumped from 25.0.3 → 42 to remediate RUSTSEC-2026-0095 and RUSTSEC-2026-0096
 # (Cranelift/Winch sandbox-escape CVEs, CVSS 9.0 — iter-11 security sprint HC-03/04).

v2/crates/homecore-plugins/src/error.rs

@@ -25,6 +25,18 @@ pub enum PluginError {
     #[error("plugin setup failed: {0}")]
     SetupFailed(String),
 
+    /// The plugin failed signature/integrity verification (ADR-162 P4):
+    /// hash mismatch, bad signature, untrusted publisher, or unsigned
+    /// module under a non-dev trust policy.
+    #[error("plugin signature rejected: {0}")]
+    SignatureRejected(String),
+
+    /// A plugin attempted a host call (e.g. `hc_state_set`) on an entity
+    /// it did not declare in `homecore_permissions` (ADR-162 P5 authority
+    /// isolation).
+    #[error("plugin permission denied: {0}")]
+    PermissionDenied(String),
+
     /// The plugin's `unload` hook returned an error.
     #[error("plugin unload failed: {0}")]
     UnloadFailed(String),

v2/crates/homecore-plugins/src/lib.rs

@@ -22,8 +22,16 @@
 //! - Host ABI wiring: `hc_state_get`, `hc_state_set`, `hc_event_fire`, etc.
 //!   (P2 — requires ADR-127 state machine API freeze first).
 //! - Config entry lifecycle + hot-load (P3).
-//! - Cog registry distribution + Ed25519 signature verification (P4).
-//! - Permission enforcement (P5).
+//!
+//! ## Now enforced (ADR-162)
+//!
+//! - **Ed25519 signature + SHA-256 integrity verification (P4)** — see
+//!   [`verify`]: the plugin load path hashes the real `.wasm` bytes, checks
+//!   the manifest `wasm_module_hash`, verifies `wasm_module_sig` against
+//!   `publisher_key`, and enforces a [`verify::PluginPolicy`] allowlist.
+//! - **Permission / authority isolation (P5)** — see [`permissions`]: a
+//!   plugin's `hc_state_set` writes are gated against the entity domains/
+//!   globs it declared in `homecore_permissions`.
 //!
 //! ## Feature flags
 //!
@@ -35,9 +43,11 @@
 pub mod error;
 pub mod host_abi;
 pub mod manifest;
+pub mod permissions;
 pub mod plugin;
 pub mod registry;
 pub mod runtime;
+pub mod verify;
 
 #[cfg(feature = "wasmtime")]
 pub mod wasmtime_runtime;
@@ -45,9 +55,11 @@ pub mod wasmtime_runtime;
 pub use error::PluginError;
 pub use host_abi::{ConfigEntryJson, StateChangedEventJson};
 pub use manifest::{IotClass, IntegrationType, PluginManifest};
+pub use permissions::PermissionSet;
 pub use plugin::{HomeCorePlugin, PluginId};
 pub use registry::PluginRegistry;
 pub use runtime::{InProcessRuntime, LoadedPlugin, PluginRuntime};
+pub use verify::{verify_module, PluginPolicy};
 
 #[cfg(feature = "wasmtime")]
 pub use wasmtime_runtime::{WasmPlugin, WasmtimeRuntime};

v2/crates/homecore-plugins/src/manifest.rs

@@ -83,15 +83,28 @@ pub struct PluginManifest {
     #[serde(default, skip_serializing_if = "Option::is_none")]
     pub wasm_module: Option<String>,
 
-    /// [HOMECORE] `sha256:<hex>` hash of the wasm binary; verified before execution.
+    /// [HOMECORE] `sha256:<hex>` hash of the wasm binary.
+    ///
+    /// **(P4 — ENFORCED, ADR-162):** `verify::verify_module` computes the
+    /// SHA-256 of the real `.wasm` bytes on load and rejects the module if
+    /// it does not equal this hash (tamper detection). See [`crate::verify`].
     #[serde(default, skip_serializing_if = "Option::is_none")]
     pub wasm_module_hash: Option<String>,
 
     /// [HOMECORE] Ed25519 signature of the wasm binary hash (`ed25519:<base64>`).
+    ///
+    /// **(P4 — ENFORCED, ADR-162):** verified against `publisher_key` over
+    /// the SHA-256 module digest before instantiation. A bad/forged/absent
+    /// signature is rejected under the secure trust policy (the
+    /// `cog-ha-matter::witness_signing` Ed25519 pattern is reused).
     #[serde(default, skip_serializing_if = "Option::is_none")]
     pub wasm_module_sig: Option<String>,
 
     /// [HOMECORE] Ed25519 public key of the plugin publisher.
+    ///
+    /// **(P4 — ENFORCED, ADR-162):** used to verify `wasm_module_sig`, and
+    /// checked against the host's [`crate::verify::PluginPolicy`] trust
+    /// allowlist — an unknown publisher is rejected by the secure default.
     #[serde(default, skip_serializing_if = "Option::is_none")]
     pub publisher_key: Option<String>,
 
@@ -104,6 +117,12 @@ pub struct PluginManifest {
     pub host_imports_required: Vec<String>,
 
     /// [HOMECORE] Coarse-grained permission claims (glob patterns).
+    ///
+    /// **(P5 — ENFORCED, ADR-162):** `state:write:<glob>` (or a bare entity
+    /// glob like `light.*`) grants are parsed into a
+    /// [`crate::permissions::PermissionSet` ] and consulted by the
+    /// `hc_state_set` host import. A plugin can no longer write an entity it
+    /// did not declare; a plugin with no write grants can write nothing.
     #[serde(default)]
     pub homecore_permissions: Vec<PermissionClaim>,
 

v2/crates/homecore-plugins/src/permissions.rs

@@ -0,0 +1,168 @@
+//! Plugin authority / capability isolation (ADR-162, P5).
+//!
+//! Wasmtime already gives a plugin **memory** isolation — it cannot read
+//! another plugin's linear memory. It does NOT, by itself, stop a plugin
+//! from using a host import to write any entity it likes. Before this fix
+//! `hc_state_set` happily let any plugin write `lock.front_door` or
+//! `alarm_control_panel.*`, and the manifest's `homecore_permissions`
+//! claims were parsed but **never consulted** (ADR-161 deferred P5).
+//!
+//! This module adds **authority isolation**: a plugin may only write
+//! entities its manifest declared. The host import consults a
+//! [`PermissionSet`] before applying any state write and returns a typed
+//! error to the guest (it does **not** panic the host) on a violation.
+//!
+//! ## Permission grammar
+//!
+//! Each entry in `homecore_permissions` is one of:
+//!
+//!   * a bare entity glob — `"light.*"`, `"light.kitchen"`, `"*"`;
+//!   * the explicit capability form `"state:write:<glob>"` (the form the
+//!     ADR-128 manifest doc shows), e.g. `"state:write:sensor.*"`.
+//!
+//! A glob supports a single trailing `*` (HA-style domain wildcards:
+//! `light.*` matches every `light` entity) and a leading-or-bare `*`
+//! (`*` = everything). Exact strings match exactly. A plugin with **no**
+//! `state:write` entries can write **nothing** — the secure default.
+
+use crate::manifest::PluginManifest;
+
+/// The set of entity-write permissions a plugin holds, distilled from its
+/// manifest `homecore_permissions` at load time.
+#[derive(Debug, Clone, Default)]
+pub struct PermissionSet {
+    /// Glob patterns the plugin may write (state:write authority). Empty =
+    /// the plugin may write nothing.
+    write_globs: Vec<String>,
+}
+
+impl PermissionSet {
+    /// Build a permission set from a manifest's `homecore_permissions`.
+    ///
+    /// Only `state:write` authority is modelled here (the host import this
+    /// gates is `hc_state_set`). A bare glob (`"light.*"`) is treated as a
+    /// write grant; the explicit `"state:write:<glob>"` form is also
+    /// accepted. Other capability strings (`state:read:*`, future verbs)
+    /// are ignored for write-gating purposes.
+    pub fn from_manifest(manifest: &PluginManifest) -> Self {
+        let mut write_globs = Vec::new();
+        for claim in &manifest.homecore_permissions {
+            let claim = claim.trim();
+            if let Some(glob) = claim.strip_prefix("state:write:") {
+                write_globs.push(glob.trim().to_string());
+            } else if claim.starts_with("state:read:") {
+                // read authority — not relevant to write gating.
+            } else if !claim.is_empty() {
+                // Bare glob — treat as a write grant.
+                write_globs.push(claim.to_string());
+            }
+        }
+        Self { write_globs }
+    }
+
+    /// An all-allowing set (equivalent to a `"*"` grant). Used by the
+    /// legacy permission-free `WasmtimeRuntime::load_wasm` path so existing
+    /// callers/tests that do not supply a manifest keep working; the
+    /// permission-gated path uses [`Self::from_manifest`].
+    pub fn allow_all() -> Self {
+        Self {
+            write_globs: vec!["*".to_string()],
+        }
+    }
+
+    /// May this plugin write the given entity id (e.g. `"light.kitchen"`)?
+    pub fn may_write(&self, entity_id: &str) -> bool {
+        self.write_globs.iter().any(|g| glob_matches(g, entity_id))
+    }
+
+    /// Number of write-grant globs (0 = can write nothing).
+    pub fn write_grant_count(&self) -> usize {
+        self.write_globs.len()
+    }
+}
+
+/// Match `entity_id` against a single glob pattern.
+///
+/// Supported forms:
+///   * `"*"`              → matches anything.
+///   * `"light.*"`        → trailing wildcard: any id with the `light.` prefix.
+///   * `"light.kitchen"`  → exact match.
+fn glob_matches(pattern: &str, entity_id: &str) -> bool {
+    if pattern == "*" {
+        return true;
+    }
+    if let Some(prefix) = pattern.strip_suffix('*') {
+        return entity_id.starts_with(prefix);
+    }
+    pattern == entity_id
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    fn manifest_with(perms: &[&str]) -> PluginManifest {
+        PluginManifest {
+            domain: "p".into(),
+            name: "P".into(),
+            version: "1".into(),
+            documentation: None,
+            iot_class: None,
+            config_flow: false,
+            integration_type: None,
+            dependencies: vec![],
+            requirements: vec![],
+            wasm_module: None,
+            wasm_module_hash: None,
+            wasm_module_sig: None,
+            publisher_key: None,
+            min_homecore_version: None,
+            host_imports_required: vec![],
+            homecore_permissions: perms.iter().map(|s| s.to_string()).collect(),
+            cog_id: None,
+        }
+    }
+
+    #[test]
+    fn domain_glob_allows_same_domain_only() {
+        let ps = PermissionSet::from_manifest(&manifest_with(&["light.*"]));
+        assert!(ps.may_write("light.kitchen"));
+        assert!(ps.may_write("light.bedroom"));
+        assert!(!ps.may_write("lock.front_door"));
+        assert!(!ps.may_write("alarm_control_panel.home"));
+    }
+
+    #[test]
+    fn no_permissions_can_write_nothing() {
+        let ps = PermissionSet::from_manifest(&manifest_with(&[]));
+        assert_eq!(ps.write_grant_count(), 0);
+        assert!(!ps.may_write("light.kitchen"));
+        assert!(!ps.may_write("sensor.temp"));
+    }
+
+    #[test]
+    fn explicit_state_write_form_is_honored() {
+        let ps = PermissionSet::from_manifest(&manifest_with(&["state:write:sensor.*"]));
+        assert!(ps.may_write("sensor.temp"));
+        assert!(!ps.may_write("light.kitchen"));
+    }
+
+    #[test]
+    fn read_grants_do_not_confer_write() {
+        let ps = PermissionSet::from_manifest(&manifest_with(&["state:read:lock.*"]));
+        assert!(!ps.may_write("lock.front_door"));
+    }
+
+    #[test]
+    fn exact_entity_grant_is_scoped() {
+        let ps = PermissionSet::from_manifest(&manifest_with(&["light.kitchen"]));
+        assert!(ps.may_write("light.kitchen"));
+        assert!(!ps.may_write("light.bedroom"));
+    }
+
+    #[test]
+    fn wildcard_grants_everything() {
+        let ps = PermissionSet::from_manifest(&manifest_with(&["*"]));
+        assert!(ps.may_write("lock.front_door"));
+    }
+}

v2/crates/homecore-plugins/src/verify.rs

@@ -0,0 +1,397 @@
+//! Plugin signature & integrity verification (ADR-162, P4).
+//!
+//! ADR-161/B5 honestly relabelled the manifest's `wasm_module_hash` /
+//! `wasm_module_sig` / `publisher_key` fields as "(P4 — not yet enforced)":
+//! they were parsed and round-tripped but **never checked** before a plugin
+//! ran. This module makes that claim TRUE — it is the real verification gate
+//! the plugin load path runs before instantiating any `.wasm` module.
+//!
+//! ## What is verified, in order
+//!
+//! 1. **Module hash** — SHA-256 of the actual `.wasm` bytes must equal the
+//!    manifest's `wasm_module_hash` (`sha256:<hex>`). A tampered module
+//!    (one byte changed) fails here.
+//! 2. **Ed25519 signature** — `wasm_module_sig` (`ed25519:<base64>`, 64-byte
+//!    raw signature) must verify over the **32-byte SHA-256 digest** under
+//!    the `publisher_key` (`ed25519:<base64>`, 32-byte raw verifying key).
+//! 3. **Trust policy** — the `publisher_key` must be on the configured
+//!    allowlist, unless [`PluginPolicy::AllowUnsigned`] is in force (a loud
+//!    dev escape hatch).
+//!
+//! The crypto mirrors the in-repo Ed25519 pattern from
+//! `cog-ha-matter::witness_signing` (same `ed25519-dalek` 2.x API, same
+//! deterministic-test-key convention). SHA-256 matches the `sha256:` prefix
+//! the manifest doc already declared for `wasm_module_hash`, and the
+//! `cog-ha-matter` cog manifest's `binary_sha256` hex convention.
+//!
+//! ## Secure default
+//!
+//! [`PluginPolicy::trusted`] (the production constructor) **rejects**:
+//!   * an unsigned module (no hash / sig / key),
+//!   * a signature from a key not on the allowlist,
+//!   * any hash or signature mismatch.
+//!
+//! Only [`PluginPolicy::AllowUnsigned`] loosens this, and every load it
+//! waves through emits a `warn`-level log line so it cannot pass silently.
+
+use base64::Engine as _;
+use ed25519_dalek::{Signature, Verifier, VerifyingKey};
+use sha2::{Digest, Sha256};
+
+use crate::error::PluginError;
+use crate::manifest::PluginManifest;
+
+/// Trust policy governing which plugins may load.
+///
+/// The production path uses [`PluginPolicy::trusted`] with an explicit
+/// allowlist of publisher verifying keys. [`PluginPolicy::AllowUnsigned`]
+/// is the dev escape hatch — it loads anything (even unsigned modules) but
+/// logs a loud warning per load.
+#[derive(Debug, Clone)]
+pub enum PluginPolicy {
+    /// Secure default: a plugin loads only if its module hash matches, its
+    /// Ed25519 signature verifies, AND its publisher key is in this
+    /// allowlist. Each entry is the 32-byte raw Ed25519 verifying key.
+    Trusted { allowlist: Vec<[u8; 32]> },
+    /// Dev-only: skip signature/allowlist enforcement. Hash is still
+    /// checked when a `wasm_module_hash` is present (cheap integrity), but
+    /// unsigned / unknown-publisher modules are allowed. Every load logs a
+    /// loud `warn`.
+    AllowUnsigned,
+}
+
+impl PluginPolicy {
+    /// Construct the secure (production) policy from a list of trusted
+    /// publisher keys, each encoded as `ed25519:<base64>` (the same form
+    /// the manifest `publisher_key` uses).
+    pub fn trusted(publisher_keys: &[&str]) -> Result<Self, PluginError> {
+        let mut allowlist = Vec::with_capacity(publisher_keys.len());
+        for k in publisher_keys {
+            allowlist.push(decode_verifying_key(k)?.to_bytes());
+        }
+        Ok(PluginPolicy::Trusted { allowlist })
+    }
+
+    /// Secure policy that trusts no publisher at all — every signed or
+    /// unsigned module is rejected. Useful as a strict default.
+    pub fn deny_all() -> Self {
+        PluginPolicy::Trusted { allowlist: vec![] }
+    }
+
+    fn is_dev(&self) -> bool {
+        matches!(self, PluginPolicy::AllowUnsigned)
+    }
+
+    fn allows(&self, key: &VerifyingKey) -> bool {
+        match self {
+            PluginPolicy::AllowUnsigned => true,
+            PluginPolicy::Trusted { allowlist } => {
+                allowlist.iter().any(|k| k == &key.to_bytes())
+            }
+        }
+    }
+}
+
+/// Verify a `.wasm` module's integrity and signature against its manifest,
+/// under the given trust `policy`. Returns `Ok(())` only if the module may
+/// be instantiated.
+///
+/// On [`PluginPolicy::AllowUnsigned`] this still checks any present hash,
+/// but waves through missing/untrusted signatures with a loud `warn`.
+pub fn verify_module(
+    manifest: &PluginManifest,
+    wasm_bytes: &[u8],
+    policy: &PluginPolicy,
+) -> Result<(), PluginError> {
+    let signed = manifest.wasm_module_hash.is_some()
+        || manifest.wasm_module_sig.is_some()
+        || manifest.publisher_key.is_some();
+
+    if !signed {
+        // No integrity material at all.
+        if policy.is_dev() {
+            eprintln!(
+                "[PLUGIN WARN] loading UNSIGNED plugin `{}` — no wasm_module_hash/sig/publisher_key. \
+                 AllowUnsigned dev policy is active; this is INSECURE and must not be used in production.",
+                manifest.domain
+            );
+            return Ok(());
+        }
+        return Err(PluginError::SignatureRejected(format!(
+            "plugin `{}` is unsigned (no wasm_module_hash/sig/publisher_key) and the trust policy \
+             rejects unsigned modules; set PluginPolicy::AllowUnsigned to override in dev",
+            manifest.domain
+        )));
+    }
+
+    // (1) Hash check — always enforced when a hash is declared.
+    let digest = sha256_digest(wasm_bytes);
+    if let Some(declared) = &manifest.wasm_module_hash {
+        let expected = parse_sha256(declared)?;
+        if expected != digest {
+            return Err(PluginError::SignatureRejected(format!(
+                "plugin `{}` wasm hash mismatch: module does not match manifest wasm_module_hash \
+                 (tampered or wrong binary)",
+                manifest.domain
+            )));
+        }
+    } else if !policy.is_dev() {
+        return Err(PluginError::SignatureRejected(format!(
+            "plugin `{}` carries a signature/publisher_key but no wasm_module_hash to bind it to",
+            manifest.domain
+        )));
+    }
+
+    // (2) Signature check + (3) allowlist.
+    match (&manifest.wasm_module_sig, &manifest.publisher_key) {
+        (Some(sig_str), Some(key_str)) => {
+            let key = decode_verifying_key(key_str)?;
+            let sig = decode_signature(sig_str)?;
+            key.verify(&digest, &sig).map_err(|_| {
+                PluginError::SignatureRejected(format!(
+                    "plugin `{}` Ed25519 signature does not verify over the module hash under \
+                     publisher_key",
+                    manifest.domain
+                ))
+            })?;
+            if !policy.allows(&key) {
+                if policy.is_dev() {
+                    eprintln!(
+                        "[PLUGIN WARN] plugin `{}` is validly signed but its publisher_key is NOT on \
+                         the trust allowlist; AllowUnsigned dev policy loads it anyway.",
+                        manifest.domain
+                    );
+                    return Ok(());
+                }
+                return Err(PluginError::SignatureRejected(format!(
+                    "plugin `{}` is validly signed but its publisher_key is not on the trust \
+                     allowlist (untrusted publisher)",
+                    manifest.domain
+                )));
+            }
+            Ok(())
+        }
+        _ => {
+            // Hash present but signature/key incomplete.
+            if policy.is_dev() {
+                eprintln!(
+                    "[PLUGIN WARN] plugin `{}` has a hash but no complete Ed25519 signature; \
+                     AllowUnsigned dev policy loads it anyway.",
+                    manifest.domain
+                );
+                return Ok(());
+            }
+            Err(PluginError::SignatureRejected(format!(
+                "plugin `{}` is missing a complete wasm_module_sig + publisher_key pair; the trust \
+                 policy requires a valid signature",
+                manifest.domain
+            )))
+        }
+    }
+}
+
+/// SHA-256 of `bytes` as a 32-byte digest.
+fn sha256_digest(bytes: &[u8]) -> [u8; 32] {
+    let mut hasher = Sha256::new();
+    hasher.update(bytes);
+    hasher.finalize().into()
+}
+
+/// Parse a `sha256:<hex>` manifest hash into a 32-byte digest.
+fn parse_sha256(s: &str) -> Result<[u8; 32], PluginError> {
+    let hex_part = s.strip_prefix("sha256:").ok_or_else(|| {
+        PluginError::InvalidManifest(format!(
+            "wasm_module_hash must be `sha256:<hex>`, got {s:?}"
+        ))
+    })?;
+    let raw = hex::decode(hex_part).map_err(|e| {
+        PluginError::InvalidManifest(format!("wasm_module_hash hex decode: {e}"))
+    })?;
+    raw.try_into().map_err(|v: Vec<u8>| {
+        PluginError::InvalidManifest(format!(
+            "wasm_module_hash must decode to 32 bytes, got {}",
+            v.len()
+        ))
+    })
+}
+
+/// Decode an `ed25519:<base64>` 32-byte verifying key.
+fn decode_verifying_key(s: &str) -> Result<VerifyingKey, PluginError> {
+    let b64 = s.strip_prefix("ed25519:").ok_or_else(|| {
+        PluginError::InvalidManifest(format!(
+            "publisher_key must be `ed25519:<base64>`, got {s:?}"
+        ))
+    })?;
+    let raw = base64::engine::general_purpose::STANDARD
+        .decode(b64)
+        .map_err(|e| PluginError::InvalidManifest(format!("publisher_key base64: {e}")))?;
+    let bytes: [u8; 32] = raw.try_into().map_err(|v: Vec<u8>| {
+        PluginError::InvalidManifest(format!(
+            "publisher_key must decode to 32 bytes, got {}",
+            v.len()
+        ))
+    })?;
+    VerifyingKey::from_bytes(&bytes)
+        .map_err(|e| PluginError::InvalidManifest(format!("publisher_key not a valid Ed25519 point: {e}")))
+}
+
+/// Decode an `ed25519:<base64>` 64-byte signature.
+fn decode_signature(s: &str) -> Result<Signature, PluginError> {
+    let b64 = s.strip_prefix("ed25519:").ok_or_else(|| {
+        PluginError::InvalidManifest(format!(
+            "wasm_module_sig must be `ed25519:<base64>`, got {s:?}"
+        ))
+    })?;
+    let raw = base64::engine::general_purpose::STANDARD
+        .decode(b64)
+        .map_err(|e| PluginError::InvalidManifest(format!("wasm_module_sig base64: {e}")))?;
+    let bytes: [u8; 64] = raw.try_into().map_err(|v: Vec<u8>| {
+        PluginError::InvalidManifest(format!(
+            "wasm_module_sig must decode to 64 bytes, got {}",
+            v.len()
+        ))
+    })?;
+    Ok(Signature::from_bytes(&bytes))
+}
+
+/// Encode a SHA-256 digest as the manifest `sha256:<hex>` form. Exposed so
+/// tooling (and tests) can produce a manifest hash for real `.wasm` bytes.
+pub fn encode_sha256(wasm_bytes: &[u8]) -> String {
+    format!("sha256:{}", hex::encode(sha256_digest(wasm_bytes)))
+}
+
+/// Encode an Ed25519 verifying key as the manifest `ed25519:<base64>` form.
+pub fn encode_verifying_key(key: &VerifyingKey) -> String {
+    format!(
+        "ed25519:{}",
+        base64::engine::general_purpose::STANDARD.encode(key.to_bytes())
+    )
+}
+
+/// Encode an Ed25519 signature as the manifest `ed25519:<base64>` form.
+pub fn encode_signature(sig: &Signature) -> String {
+    format!(
+        "ed25519:{}",
+        base64::engine::general_purpose::STANDARD.encode(sig.to_bytes())
+    )
+}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+    use ed25519_dalek::{Signer, SigningKey};
+
+    /// Deterministic publisher key (mirrors witness_signing's fixed-bytes
+    /// seed convention — DO NOT use in production).
+    fn publisher() -> SigningKey {
+        SigningKey::from_bytes(b"homecore-plugins-pub-test-seed--")
+    }
+
+    fn attacker() -> SigningKey {
+        SigningKey::from_bytes(b"homecore-plugins-attacker-seed--")
+    }
+
+    /// Sign `wasm_bytes` with `key` and produce a manifest carrying the real
+    /// hash + signature + publisher key.
+    fn signed_manifest(wasm_bytes: &[u8], key: &SigningKey) -> PluginManifest {
+        let digest = sha256_digest(wasm_bytes);
+        let sig = key.sign(&digest);
+        PluginManifest {
+            domain: "demo".into(),
+            name: "Demo".into(),
+            version: "1.0.0".into(),
+            documentation: None,
+            iot_class: None,
+            config_flow: false,
+            integration_type: None,
+            dependencies: vec![],
+            requirements: vec![],
+            wasm_module: Some("demo.wasm".into()),
+            wasm_module_hash: Some(encode_sha256(wasm_bytes)),
+            wasm_module_sig: Some(encode_signature(&sig)),
+            publisher_key: Some(encode_verifying_key(&key.verifying_key())),
+            min_homecore_version: None,
+            host_imports_required: vec![],
+            homecore_permissions: vec![],
+            cog_id: None,
+        }
+    }
+
+    #[test]
+    fn valid_sig_from_trusted_key_passes() {
+        let wasm = b"\0asm\x01\0\0\0fake module bytes";
+        let key = publisher();
+        let manifest = signed_manifest(wasm, &key);
+        let policy =
+            PluginPolicy::trusted(&[&encode_verifying_key(&key.verifying_key())]).unwrap();
+        verify_module(&manifest, wasm, &policy).expect("trusted signed module should load");
+    }
+
+    #[test]
+    fn tampered_module_is_rejected() {
+        let wasm = b"\0asm\x01\0\0\0fake module bytes";
+        let key = publisher();
+        let manifest = signed_manifest(wasm, &key);
+        let policy =
+            PluginPolicy::trusted(&[&encode_verifying_key(&key.verifying_key())]).unwrap();
+        // Flip a byte: hash no longer matches.
+        let tampered = b"\0asm\x01\0\0\0FAKE module bytes";
+        let err = verify_module(&manifest, tampered, &policy).unwrap_err();
+        assert!(matches!(err, PluginError::SignatureRejected(_)), "got {err:?}");
+    }
+
+    #[test]
+    fn valid_sig_from_untrusted_key_is_rejected() {
+        let wasm = b"\0asm\x01\0\0\0fake module bytes";
+        // Signed correctly by the attacker, but the attacker is not trusted.
+        let manifest = signed_manifest(wasm, &attacker());
+        let policy =
+            PluginPolicy::trusted(&[&encode_verifying_key(&publisher().verifying_key())]).unwrap();
+        let err = verify_module(&manifest, wasm, &policy).unwrap_err();
+        assert!(matches!(err, PluginError::SignatureRejected(_)), "got {err:?}");
+    }
+
+    #[test]
+    fn forged_signature_is_rejected() {
+        // Manifest claims the trusted publisher_key but the signature was
+        // produced by the attacker (a forged sig under a trusted identity).
+        let wasm = b"\0asm\x01\0\0\0fake module bytes";
+        let digest = sha256_digest(wasm);
+        let forged = attacker().sign(&digest);
+        let mut manifest = signed_manifest(wasm, &publisher());
+        manifest.wasm_module_sig = Some(encode_signature(&forged));
+        let policy =
+            PluginPolicy::trusted(&[&encode_verifying_key(&publisher().verifying_key())]).unwrap();
+        let err = verify_module(&manifest, wasm, &policy).unwrap_err();
+        assert!(matches!(err, PluginError::SignatureRejected(_)), "got {err:?}");
+    }
+
+    #[test]
+    fn unsigned_module_rejected_under_default_policy() {
+        let wasm = b"\0asm\x01\0\0\0unsigned";
+        let manifest = PluginManifest {
+            domain: "u".into(),
+            name: "U".into(),
+            version: "1".into(),
+            documentation: None,
+            iot_class: None,
+            config_flow: false,
+            integration_type: None,
+            dependencies: vec![],
+            requirements: vec![],
+            wasm_module: Some("u.wasm".into()),
+            wasm_module_hash: None,
+            wasm_module_sig: None,
+            publisher_key: None,
+            min_homecore_version: None,
+            host_imports_required: vec![],
+            homecore_permissions: vec![],
+            cog_id: None,
+        };
+        let err = verify_module(&manifest, wasm, &PluginPolicy::deny_all()).unwrap_err();
+        assert!(matches!(err, PluginError::SignatureRejected(_)), "got {err:?}");
+        // ...but AllowUnsigned loads it (with a warn).
+        verify_module(&manifest, wasm, &PluginPolicy::AllowUnsigned)
+            .expect("AllowUnsigned should load an unsigned module");
+    }
+}

v2/crates/homecore-plugins/src/wasmtime_runtime.rs

@@ -30,16 +30,27 @@ use wasmtime::{Engine, Linker, Module, Store};
 
 use crate::error::PluginError;
 use crate::host_abi::{LogLevel, StateChangedEventJson, MAX_ABI_BUFFER_BYTES};
+use crate::manifest::PluginManifest;
+use crate::permissions::PermissionSet;
+use crate::verify::{verify_module, PluginPolicy};
 
 // ── Store data ─────────────────────────────────────────────────────────────
 
 /// Per-plugin state stored inside the Wasmtime [`Store`].
 ///
 /// Wasmtime's `Store<T>` exposes `T` to host functions via `caller.data()`.
-/// We store the `HomeCore` handle and a list of subscribed entity IDs here.
+/// We store the `HomeCore` handle, a list of subscribed entity IDs, and the
+/// plugin's write-permission set (ADR-162 P5 authority isolation).
 pub struct PluginStoreData {
     pub hc: HomeCore,
     pub subscriptions: Vec<String>,
+    /// Entity-write authority distilled from the manifest's
+    /// `homecore_permissions`. Consulted by `hc_state_set`. The
+    /// permission-free [`WasmtimeRuntime::load_wasm`] path installs an
+    /// all-allowing set for backward compatibility; the
+    /// [`WasmtimeRuntime::load_plugin`] path installs the manifest's
+    /// declared set.
+    pub permissions: PermissionSet,
 }
 
 // ── WasmtimeRuntime ────────────────────────────────────────────────────────
@@ -59,14 +70,53 @@ impl WasmtimeRuntime {
         Ok(Self { engine })
     }
 
-    /// Compile and instantiate a WASM plugin from raw bytes.
+    /// Compile and instantiate a WASM plugin from raw bytes, **without**
+    /// signature verification or permission gating (the plugin gets
+    /// all-write authority).
     ///
-    /// Returns a [`WasmPlugin`] handle that owns the `Store` and the
-    /// `Instance`. The handle can be used to call into the WASM module.
+    /// Retained for the legacy/test path and first-party trusted modules.
+    /// Production plugin loading should go through [`Self::load_plugin`],
+    /// which verifies the module (ADR-162 P4) and scopes its write
+    /// authority to the manifest (P5).
     pub fn load_wasm(
         &self,
         wasm_bytes: &[u8],
         hc: HomeCore,
+    ) -> Result<WasmPlugin, PluginError> {
+        self.instantiate(wasm_bytes, hc, PermissionSet::allow_all())
+    }
+
+    /// Verify and instantiate a WASM plugin from its manifest + raw bytes.
+    ///
+    /// This is the secure load path (ADR-162):
+    ///   1. **P4** — [`verify_module`] checks the SHA-256 module hash and
+    ///      Ed25519 signature against the manifest under `policy`. A
+    ///      tampered module, bad/forged signature, untrusted publisher, or
+    ///      (under the secure default) an unsigned module is rejected
+    ///      **before** any guest code runs.
+    ///   2. **P5** — the plugin's `homecore_permissions` are distilled into
+    ///      a [`PermissionSet`] installed in the store, so `hc_state_set`
+    ///      can only write entities the plugin declared.
+    pub fn load_plugin(
+        &self,
+        manifest: &PluginManifest,
+        wasm_bytes: &[u8],
+        hc: HomeCore,
+        policy: &PluginPolicy,
+    ) -> Result<WasmPlugin, PluginError> {
+        // P4: verify before instantiation.
+        verify_module(manifest, wasm_bytes, policy)?;
+        // P5: scope write authority to the manifest's declared permissions.
+        let permissions = PermissionSet::from_manifest(manifest);
+        self.instantiate(wasm_bytes, hc, permissions)
+    }
+
+    /// Shared compile + instantiate, installing the given permission set.
+    fn instantiate(
+        &self,
+        wasm_bytes: &[u8],
+        hc: HomeCore,
+        permissions: PermissionSet,
     ) -> Result<WasmPlugin, PluginError> {
         let module = Module::new(&self.engine, wasm_bytes)
             .map_err(|e| PluginError::RuntimeError(format!("WASM compile: {e}")))?;
@@ -77,6 +127,7 @@ impl WasmtimeRuntime {
         let store_data = PluginStoreData {
             hc,
             subscriptions: Vec::new(),
+            permissions,
         };
         let mut store = Store::new(&self.engine, store_data);
 
@@ -183,7 +234,9 @@ fn register_hc_state_get(
 /// Sets the state for the entity whose UTF-8 ID is at `[eid_ptr,eid_ptr+eid_len)`.
 /// The new state string is at `[state_ptr,state_ptr+state_len)`.
 /// The attributes JSON is at `[attrs_ptr,attrs_ptr+attrs_len)`.
-/// Returns 0 on success, negative on error.
+/// Returns 0 on success, negative on error: -1 (bad memory/args), -2
+/// (invalid entity id), -3 (permission denied — entity not in the
+/// plugin's declared `homecore_permissions`, ADR-162 P5).
 fn register_hc_state_set(
     linker: &mut Linker<PluginStoreData>,
 ) -> Result<(), PluginError> {
@@ -224,6 +277,20 @@ fn register_hc_state_set(
                     Ok(id) => id,
                     Err(_) => return -2,
                 };
+
+                // ── P5 authority isolation (ADR-162) ──────────────────────
+                // Reject a write to an entity the plugin did not declare in
+                // `homecore_permissions`. Return a typed error code to the
+                // guest (-3); do NOT panic the host.
+                if !caller.data().permissions.may_write(entity_id.as_str()) {
+                    eprintln!(
+                        "[PLUGIN WARN] denied hc_state_set on `{}` — not in plugin's declared \
+                         homecore_permissions (P5 authority isolation)",
+                        entity_id.as_str()
+                    );
+                    return -3;
+                }
+
                 let attrs: serde_json::Value =
                     serde_json::from_str(&attrs_str).unwrap_or(serde_json::json!({}));
 

v2/crates/homecore-plugins/tests/integration.rs

@@ -371,4 +371,259 @@ mod wasmtime_tests {
         let r = plugin.call_setup("{}").expect("setup");
         assert_eq!(r, 0);
     }
+
+    // ── ADR-162 P4: signature/integrity verification ────────────────────────
+    //
+    // Each of these FAILS on the pre-ADR-162 code, which had no
+    // `load_plugin` / `verify_module` at all — the manifest hash/sig/key
+    // were parsed and discarded. They drive the real verification gate.
+
+    use ed25519_dalek::{Signer, SigningKey};
+    use homecore_plugins::manifest::PluginManifest;
+    use homecore_plugins::verify::{encode_sha256, encode_signature, encode_verifying_key};
+    use homecore_plugins::PluginPolicy;
+
+    /// Deterministic publisher key (fixed seed — never use in production;
+    /// mirrors the cog-ha-matter witness_signing test-key convention).
+    fn publisher_key() -> SigningKey {
+        SigningKey::from_bytes(b"hc-plugins-integration-pub-seed-")
+    }
+
+    fn untrusted_key() -> SigningKey {
+        SigningKey::from_bytes(b"hc-plugins-integration-evil-seed")
+    }
+
+    /// A minimal valid module that writes `light.kitchen` on setup, plus a
+    /// `light.*` permission grant. Returns the WAT source.
+    const WRITE_LIGHT_WAT: &str = r#"
+(module
+  (import "env" "hc_state_get"       (func $hc_state_get (param i32 i32 i32 i32) (result i32)))
+  (import "env" "hc_state_set"       (func $hc_state_set (param i32 i32 i32 i32 i32 i32) (result i32)))
+  (import "env" "hc_state_subscribe" (func $hc_state_subscribe (param i32 i32) (result i32)))
+  (import "env" "hc_log"             (func $hc_log (param i32 i32 i32)))
+  (memory (export "memory") 1)
+  (global $bump (mut i32) (i32.const 512))
+  (data (i32.const 0)   "light.kitchen")
+  (data (i32.const 64)  "on")
+  (data (i32.const 128) "{}")
+  (func (export "alloc") (param i32) (result i32)
+    (local $p i32)
+    (local.set $p (global.get $bump))
+    (global.set $bump (i32.add (global.get $bump) (local.get 0)))
+    (local.get $p))
+  (func (export "dealloc") (param i32 i32))
+  (func (export "plugin_setup") (param i32 i32) (result i32)
+    (call $hc_state_set
+      (i32.const 0) (i32.const 13)   ;; "light.kitchen"
+      (i32.const 64) (i32.const 2)   ;; "on"
+      (i32.const 128) (i32.const 2)) ;; "{}"
+    drop
+    (i32.const 0))
+  (func (export "plugin_handle_state_changed") (param i32 i32) (result i32) (i32.const 0))
+)
+"#;
+
+    /// Build a manifest signed by `key` over the SHA-256 of `wasm_bytes`,
+    /// with the given write-permission grants.
+    fn signed_manifest(
+        wasm_bytes: &[u8],
+        key: &SigningKey,
+        perms: &[&str],
+    ) -> PluginManifest {
+        use sha2::{Digest, Sha256};
+        let digest: [u8; 32] = Sha256::digest(wasm_bytes).into();
+        let sig = key.sign(&digest);
+        let mut m = PluginManifest::parse_json(
+            r#"{"domain":"demo","name":"Demo","version":"1.0.0"}"#,
+        )
+        .unwrap();
+        m.wasm_module = Some("demo.wasm".into());
+        m.wasm_module_hash = Some(encode_sha256(wasm_bytes));
+        m.wasm_module_sig = Some(encode_signature(&sig));
+        m.publisher_key = Some(encode_verifying_key(&key.verifying_key()));
+        m.homecore_permissions = perms.iter().map(|s| s.to_string()).collect();
+        m
+    }
+
+    #[test]
+    fn p4_valid_sig_from_trusted_key_loads() {
+        let wasm = wat::parse_str(WRITE_LIGHT_WAT).expect("WAT");
+        let key = publisher_key();
+        let manifest = signed_manifest(&wasm, &key, &["light.*"]);
+        let policy =
+            PluginPolicy::trusted(&[&encode_verifying_key(&key.verifying_key())]).unwrap();
+
+        let rt = WasmtimeRuntime::new().expect("rt");
+        let hc = HomeCore::new();
+        rt.load_plugin(&manifest, &wasm, hc, &policy)
+            .expect("a validly-signed, trusted plugin must load");
+    }
+
+    #[test]
+    fn p4_tampered_module_is_rejected() {
+        let wasm = wat::parse_str(WRITE_LIGHT_WAT).expect("WAT");
+        let key = publisher_key();
+        // Manifest signs the original bytes; we then load DIFFERENT bytes.
+        let manifest = signed_manifest(&wasm, &key, &["light.*"]);
+        let policy =
+            PluginPolicy::trusted(&[&encode_verifying_key(&key.verifying_key())]).unwrap();
+
+        // Re-compile a byte-different module (writes "off" not "on").
+        let tampered_src = WRITE_LIGHT_WAT.replace(r#""on""#, r#""of""#);
+        let tampered = wat::parse_str(&tampered_src).expect("WAT");
+        assert_ne!(wasm, tampered, "test bug: bytes must differ");
+
+        let rt = WasmtimeRuntime::new().expect("rt");
+        let hc = HomeCore::new();
+        match rt.load_plugin(&manifest, &tampered, hc, &policy) {
+            Err(homecore_plugins::PluginError::SignatureRejected(_)) => {}
+            Ok(_) => panic!("tampered module must be rejected (hash mismatch), but it loaded"),
+            Err(e) => panic!("expected SignatureRejected, got {e:?}"),
+        }
+    }
+
+    #[test]
+    fn p4_valid_sig_from_untrusted_key_is_rejected() {
+        let wasm = wat::parse_str(WRITE_LIGHT_WAT).expect("WAT");
+        // Correctly signed by the untrusted key — but it is not on the allowlist.
+        let manifest = signed_manifest(&wasm, &untrusted_key(), &["light.*"]);
+        let policy =
+            PluginPolicy::trusted(&[&encode_verifying_key(&publisher_key().verifying_key())])
+                .unwrap();
+
+        let rt = WasmtimeRuntime::new().expect("rt");
+        let hc = HomeCore::new();
+        match rt.load_plugin(&manifest, &wasm, hc, &policy) {
+            Err(homecore_plugins::PluginError::SignatureRejected(_)) => {}
+            Ok(_) => panic!("untrusted publisher must be rejected, but it loaded"),
+            Err(e) => panic!("expected SignatureRejected, got {e:?}"),
+        }
+    }
+
+    #[test]
+    fn p4_unsigned_module_rejected_by_default_loads_only_under_allow_unsigned() {
+        let wasm = wat::parse_str(WRITE_LIGHT_WAT).expect("WAT");
+        let mut manifest = PluginManifest::parse_json(
+            r#"{"domain":"u","name":"U","version":"1"}"#,
+        )
+        .unwrap();
+        manifest.wasm_module = Some("u.wasm".into());
+        manifest.homecore_permissions = vec!["light.*".into()];
+        // No hash/sig/key → unsigned.
+
+        let rt = WasmtimeRuntime::new().expect("rt");
+        // Secure default: rejected.
+        match rt.load_plugin(&manifest, &wasm, HomeCore::new(), &PluginPolicy::deny_all()) {
+            Err(homecore_plugins::PluginError::SignatureRejected(_)) => {}
+            Ok(_) => panic!("unsigned module must be rejected under the secure default"),
+            Err(e) => panic!("expected SignatureRejected, got {e:?}"),
+        }
+        // Dev escape hatch: loads (with a loud warn).
+        rt.load_plugin(
+            &manifest,
+            &wasm,
+            HomeCore::new(),
+            &PluginPolicy::AllowUnsigned,
+        )
+        .expect("AllowUnsigned dev policy must load an unsigned module");
+    }
+
+    // ── ADR-162 P5: authority / capability isolation ────────────────────────
+    //
+    // FAILS on the pre-ADR-162 code, where `hc_state_set` ignored
+    // `homecore_permissions` entirely and let any plugin write any entity.
+
+    /// Module that writes `lock.front_door` on setup (an over-privileged
+    /// write a `light.*` plugin must NOT be allowed to perform).
+    const WRITE_LOCK_WAT: &str = r#"
+(module
+  (import "env" "hc_state_get"       (func $hc_state_get (param i32 i32 i32 i32) (result i32)))
+  (import "env" "hc_state_set"       (func $hc_state_set (param i32 i32 i32 i32 i32 i32) (result i32)))
+  (import "env" "hc_state_subscribe" (func $hc_state_subscribe (param i32 i32) (result i32)))
+  (import "env" "hc_log"             (func $hc_log (param i32 i32 i32)))
+  (memory (export "memory") 1)
+  (global $bump (mut i32) (i32.const 512))
+  (data (i32.const 0)   "lock.front_door")
+  (data (i32.const 64)  "unlocked")
+  (data (i32.const 128) "{}")
+  (func (export "alloc") (param i32) (result i32)
+    (local $p i32)
+    (local.set $p (global.get $bump))
+    (global.set $bump (i32.add (global.get $bump) (local.get 0)))
+    (local.get $p))
+  (func (export "dealloc") (param i32 i32))
+  ;; plugin_setup returns the hc_state_set result code so the host test can
+  ;; assert the guest saw the typed permission-denied error (-3).
+  (func (export "plugin_setup") (param i32 i32) (result i32)
+    (call $hc_state_set
+      (i32.const 0) (i32.const 15)   ;; "lock.front_door"
+      (i32.const 64) (i32.const 8)   ;; "unlocked"
+      (i32.const 128) (i32.const 2))) ;; "{}"
+  (func (export "plugin_handle_state_changed") (param i32 i32) (result i32) (i32.const 0))
+)
+"#;
+
+    #[test]
+    fn p5_declared_light_plugin_may_write_light_but_not_lock() {
+        let key = publisher_key();
+        let trusted = PluginPolicy::trusted(&[&encode_verifying_key(&key.verifying_key())]).unwrap();
+        let rt = WasmtimeRuntime::new().expect("rt");
+
+        // (a) A `light.*` plugin writing `light.kitchen` → ALLOWED.
+        let light_wasm = wat::parse_str(WRITE_LIGHT_WAT).expect("WAT");
+        let light_manifest = signed_manifest(&light_wasm, &key, &["light.*"]);
+        let hc_a = HomeCore::new();
+        let plugin_a = rt
+            .load_plugin(&light_manifest, &light_wasm, hc_a.clone(), &trusted)
+            .expect("light plugin loads");
+        let r = plugin_a.call_setup("{}").expect("setup");
+        assert_eq!(r, 0, "write to declared light.kitchen should succeed");
+        let kitchen = homecore::EntityId::parse("light.kitchen").unwrap();
+        assert_eq!(
+            hc_a.states().get(&kitchen).expect("light.kitchen written").state,
+            "on"
+        );
+
+        // (b) The SAME `light.*` plugin attempting to write `lock.front_door`
+        // → REJECTED with the typed -3 code, and the lock is NOT written.
+        let lock_wasm = wat::parse_str(WRITE_LOCK_WAT).expect("WAT");
+        let lock_manifest = signed_manifest(&lock_wasm, &key, &["light.*"]);
+        let hc_b = HomeCore::new();
+        let plugin_b = rt
+            .load_plugin(&lock_manifest, &lock_wasm, hc_b.clone(), &trusted)
+            .expect("module loads (verification ok); the WRITE is what's gated");
+        let denied = plugin_b.call_setup("{}").expect("setup runs without trapping host");
+        assert_eq!(
+            denied, -3,
+            "over-privileged write to lock.front_door must return -3 (permission denied)"
+        );
+        let lock = homecore::EntityId::parse("lock.front_door").unwrap();
+        assert!(
+            hc_b.states().get(&lock).is_none(),
+            "lock.front_door must NOT have been written by a light-only plugin"
+        );
+    }
+
+    #[test]
+    fn p5_plugin_with_no_permissions_can_write_nothing() {
+        let key = publisher_key();
+        let trusted = PluginPolicy::trusted(&[&encode_verifying_key(&key.verifying_key())]).unwrap();
+        let rt = WasmtimeRuntime::new().expect("rt");
+
+        let wasm = wat::parse_str(WRITE_LIGHT_WAT).expect("WAT");
+        // No permissions declared at all.
+        let manifest = signed_manifest(&wasm, &key, &[]);
+        let hc = HomeCore::new();
+        let plugin = rt
+            .load_plugin(&manifest, &wasm, hc.clone(), &trusted)
+            .expect("module loads; the write is gated");
+        // WRITE_LIGHT_WAT drops the host-import result and returns 0, so we
+        // assert the denial via the side-effect: the write must NOT land.
+        plugin.call_setup("{}").expect("setup runs without trapping host");
+        let kitchen = homecore::EntityId::parse("light.kitchen").unwrap();
+        assert!(
+            hc.states().get(&kitchen).is_none(),
+            "no-permission plugin must not write light.kitchen (P5 authority isolation)"
+        );
+    }
 }

v2/crates/homecore-server/src/main.rs

@@ -121,8 +121,21 @@ async fn main() -> Result<()> {
     let _ = plugin_registry; // wired-but-empty at boot; integrations register here
 
     // ── 4. Automation engine ────────────────────────────────────────
-    let _automation_engine = AutomationEngine::new(hc.clone());
-    info!("Automation engine ready (no automations loaded yet)");
+    // Construct AND start the engine (HC-WS-03, ADR-161). `start()`
+    // spawns the state-change event loop + the 1 Hz wall-clock timer
+    // task so state/numeric/event AND time triggers all fire. The
+    // engine is kept alive for the process lifetime (it is moved into a
+    // long-lived binding); its background tasks run until the HomeCore
+    // broadcast channel closes at shutdown. No automations are loaded at
+    // boot yet (YAML loader is P-next); integrations register via
+    // `engine.register(..)`.
+    let automation_engine = AutomationEngine::new(hc.clone());
+    let _automation_task = automation_engine.start();
+    info!(
+        "Automation engine started ({} automations registered) — \
+         state/numeric/event + time triggers active",
+        automation_engine.len()
+    );
 
     // ── 5. Assist pipeline ──────────────────────────────────────────
     let recognizer = RegexIntentRecognizer::new();