Automated release from CI pipeline

Changes:
cog-ha-matter (ADR-116 P8): app-registry entry stub + release checklist

Two closing P8 deliverables that complete the local-side publishing
scaffolding. The remaining work is all credential-bearing user
action.

1. cog/app-registry-entry.json — the exact JSON payload to paste
   into cognitum-one's app-registry.json. Schema discovered by
   fetching the live registry (105 cogs, 11 categories) and
   matching the existing ruview-densepose entry verbatim. Keys:

   id, name, category, version, size_kb, difficulty, description,
   featured, config[], sha256, binary_size

   cog-ha-matter slots in under category: "building" (smart home
   / building automation — the natural HA / Matter category, vs
   network which is more about transport bridges).

   7 config[] entries mirror our CLI surface:
   sensing_url, mqtt_host, mqtt_port, privacy_mode,
   mdns_hostname, mdns_ipv4, no_mdns

   Two post-build fields left as <FILL_IN_...> markers:
   sha256 (paste from the workflow artifact's .sha256)
   binary_size (wc -c < the binary)

   Schema validated: all 10 required keys present, parses as JSON.

2. cog/RELEASE-CHECKLIST.md — one-page mechanical playbook with
   four explicit "🔑 USER ACTION" gates. Each gate names exactly
   what the user (or org admin) has to do that the pipeline cannot:

   a) provision GCP_CREDENTIALS + HAS_GCP_CREDENTIALS org var
   b) provision COGNITUM_OWNER_SIGNING_KEY GH secret
   c) gcloud auth login (only if uploading locally)
   d) PR app-registry.json into cognitum-one

   Plus pre-release test gate, tag-push command, post-release
   verification curl, and a rollback procedure using GCS object
   versioning (per ADR-100 §"GCS misconfiguration risks").

Stop-condition check (cron's predicate: "ALL local-side publishing
scaffolding is complete and the only remaining work requires user
action"):

✅ cog/manifest.template.json
✅ cog/Makefile (build / sign / upload / verify / clean)
✅ cog/README.md
✅ cog/app-registry-entry.json (this commit)
✅ cog/RELEASE-CHECKLIST.md (this commit)
✅ .github/workflows/cog-ha-matter-release.yml (3 jobs, gated)
✅ dist/ handling (gitignored, created by make)

🔑 4 user-action gates explicitly enumerated in the checklist

The cron should STOP after this iter — the local-side scaffolding
is complete and the remaining work is the four named credential
gates that the pipeline cannot self-serve.

Co-Authored-By: claude-flow ruv@ruv.net

Docker Image:
ghcr.io/ruvnet/RuView:be4efecbcd9a8f357df07dcc654f363fc774f8fb

Automated release from CI pipeline

Changes:
cog-ha-matter (ADR-116 P8): CI release workflow + fix inherited filename bug

New .github/workflows/cog-ha-matter-release.yml:

• Triggers on cog-ha-matter-v* tag-push + manual dispatch
• Three jobs: build-x86_64, build-arm, publish-gcs
• x86_64: native ubuntu-latest cargo build
• arm: aarch64-unknown-linux-gnu via apt-installed gcc-aarch64-linux-gnu
  linker (no cross dep needed — keeps workflow self-contained)
• Each build job runs make build-{arch} + make sign-{arch} +
  gated Ed25519 sign step (skipped when COGNITUM_OWNER_SIGNING_KEY
  secret is unset — workflow still produces unsigned artifacts so
  we get build coverage now and signing later without re-merging)
• publish-gcs job gated on vars.HAS_GCP_CREDENTIALS == 'true'
  so the workflow is safe to merge before credentials land —
  no-op until the org admin sets the variable
• Uploads binary + sha256 + (optional) sig to
  gs://cognitum-apps/cogs/{arch}/cog-ha-matter-{arch}
• Prints the app-registry.json snippet for the cognitum-one PR
  (so the publish step's output is the exact JSON the user pastes)

Fixed a bug inherited from cog-pose-estimation's Makefile: the
precedent produces dist/cog-cog-pose-estimation-arm (double
cog- prefix because CRATE name already starts with cog-) but
the manifest URL has single prefix cog-pose-estimation-arm. The
upload path doesn't match the binary_url — a latent bug in the
pose cog's pipeline.

My copy now produces dist/cog-ha-matter-arm matching the
manifest URL cog-ha-matter-{{ARCH}}. Changed: Makefile (build /
sign / upload / verify / clean targets), workflow (artifact names

• gsutil paths), README (local dry-run instructions). The
  cog-pose-estimation precedent is unchanged — separate fix if/when
  the user wants to align it.

What this iter does NOT do (P8 remaining):

• provision GCP_CREDENTIALS / COGNITUM_OWNER_SIGNING_KEY secrets
  (user action — needs org admin access)
• actually run the workflow (needs a cog-ha-matter-v0.1.0 tag
  push, or workflow_dispatch from the Actions tab)
• append to app-registry.json in cognitum-one (separate repo PR)

Next iter: tag a v0.0.1-dev (so the workflow runs once + we see
any build-time errors on real CI runners) OR scaffold the
app-registry.json patch payload as a check-in doc.

Co-Authored-By: claude-flow ruv@ruv.net

Docker Image:
ghcr.io/ruvnet/RuView:3833929dcb301683049858ab1a299015b9510303

Automated release from CI pipeline

Changes:
cog-ha-matter (ADR-116 P8): scaffold cog/ publishing layout

Mirrors v2/crates/cog-pose-estimation/cog/ so the Seed runtime
treats cog-ha-matter identically — cognitum cog install ha-matter
behaves like cognitum cog install pose-estimation.

Files:

• cog/manifest.template.json — 9-field manifest with {{VERSION}}
  • {{ARCH}} slots, hand-edited by the Makefile signer
• cog/Makefile — same target set as cog-pose-estimation:
  build / build-arm / build-x86_64
  sign / sign-arm / sign-x86_64 (Ed25519 step is TODO,
  blocked on COGNITUM_OWNER_SIGNING_KEY provisioning —
  same blocker as cog-pose-estimation)
  upload / upload-arm / upload-x86_64
  manifest (delegates to cargo run -- --print-manifest)
  release (= build + sign + upload + manifest)
  verify (sha256sum vs sidecar)
  clean
  Adds mkdir -p dist to build steps so the gitignored dist/
  folder is created on first build.
• cog/README.md — what this cog does, layout map, local dry-run
  instructions, gcloud auth requirements, the JSON snippet to
  paste into app-registry.json (in the separate cognitum-one
  repo, not this one)

Local dist/ is intentionally not committed: top-level .gitignore
matches dist/ globally, the Makefile creates it on demand.

What this commit does NOT do (P8 remaining):

• cross-compile build (needs rustup target add aarch64-unknown-linux-gnu x86_64-unknown-linux-gnu + linker)
• sign the binaries (COGNITUM_OWNER_SIGNING_KEY not provisioned)
• gsutil cp to gs://cognitum-apps/ (needs user's gcloud auth)
• append to app-registry.json (lives in cognitum-one repo —
  separate PR there)

Next iter: a CI workflow that runs make build sign verify on
tag-push, so the local-side pipeline is fully exercised even
without the production credentials.

Co-Authored-By: claude-flow ruv@ruv.net

Docker Image:
ghcr.io/ruvnet/RuView:1e469aa336045f3c278dd32f9ec57360aad1dbd2

Automated release from CI pipeline

Changes:
cog-ha-matter (ADR-116 P4): live mDNS responder + handle

Closes the mDNS half of P4. runtime::start_mdns_responder binds
multicast via mdns_sd::ServiceDaemon::new, builds the
ServiceInfo from MdnsService::to_service_info (iter 9), and
registers — returning a typed handle that owns both daemon and
fullname.

Handle shape:

pub struct MdnsResponderHandle {
daemon: ServiceDaemon,
fullname: String,
}

impl MdnsResponderHandle {
pub fn fullname(&self) -> &str;
pub fn shutdown(self) -> Result<(), mdns_sd::Error>;
}
impl Drop for MdnsResponderHandle { /* best-effort */ }

Why explicit shutdown + best-effort Drop: a clean shutdown
sends a goodbye packet so HA's discovery integration sees the
service leave (good UX — no stale device card). Drop is the
fallback for panics / process termination but swallows errors
since panicking-in-Drop would mask the real failure.

1 new live-I/O test:

• mdns_responder_fullname_concatenates_instance_and_service_type
  — actually binds multicast on the loopback adapter, registers,
  asserts the fullname contains _ruview-ha._tcp, then
  shutdown()s. Confirmed working on Windows; CI environments
  where multicast bind is filtered will hit the gracefully-
  skipping early return rather than failing the suite.

64/64 cog tests green (63 → 64).

ADR-116 P4: mDNS half ✅ (record-builder + ServiceInfo + live
responder), witness half ✅ (chain + JSONL + file + Ed25519).
Last piece is the embedded rumqttd broker so external mosquitto
becomes optional.

Co-Authored-By: claude-flow ruv@ruv.net

Docker Image:
ghcr.io/ruvnet/RuView:07b792715f8be98c1a821d5ffe497a2fe475984c

Automated release from CI pipeline

Changes:
cog-ha-matter (ADR-116): P4 ✅ — mDNS wired into main, broker deferred

Two landings that flip P4 to shipped:

1. main.rs now actually registers the mDNS responder. New CLI:
   --mdns-hostname (default: cog-ha-matter.local.)
   --mdns-ipv4 (default: 127.0.0.1)
   --no-mdns (skip for restrictive CI / multi-instance)

   Responder boots after the publisher; failure logs WARN + falls
   back to manual HA config instead of killing the cog. The
   handle's Drop sends the mDNS goodbye packet on shutdown so HA's
   discovery sees a clean service-leave (no stale device card).

2. Embedded rumqttd broker DEFERRED to v0.7 per dossier §8 ranking.

   The dossier's prioritised v1 scope is:

   1. --privacy-mode audit-only
   2. cog manifest + Ed25519 signing + store listing
   3. local SONA fine-tuning loop
   4. HACS gold-tier integration
   5. Matter Bridge (v0.8)

   Embedded broker is not in that list. Every HA install already
   has mosquitto or HA Core's built-in broker — adding ~2 MB of
   binary + ACL config surface for marginal benefit didn't earn a
   v1 slot. Documented as row 6 of §4 v1 scope table with explicit
   v0.7 target.

P4 row updated to ✅: mDNS half complete (record-builder +
ServiceInfo + live responder + main.rs wiring), witness half
complete (chain + JSONL + file + Ed25519), embedded broker
explicitly deferred with rationale citation to dossier §8.

Stop-condition check:

• dossier has "Recommended scope" section ✅ (§8, folded into
  ADR §4)
• P2 (cog scaffold) ✅
• P3 (MQTT publisher wrap) ✅
• P4 (Seed-native enhancements) ✅

Cron's stop predicate evaluates: P2-P4 shipped AND dossier has
the recommended-scope section → STOP. The loop should TaskStop
itself after this iter unless the user wants P5 (RuVector
thresholds), P8 (cog signing), or P9 (HACS repo) to keep going.

64/64 tests green.

Co-Authored-By: claude-flow ruv@ruv.net

Docker Image:
ghcr.io/ruvnet/RuView:d4f0e120738703bf58ba666fc56447feea85425a

Automated release from CI pipeline

Changes:
cog-ha-matter (ADR-116 P4): MdnsService -> mdns-sd ServiceInfo bridge

Pure conversion from our wire-format MdnsService to the
mdns_sd::ServiceInfo shape the responder daemon consumes. No
socket binding, no daemon registration yet — that lands next iter
as a runtime::spawn_mdns_responder(info) JoinHandle returning
helper, same shape as runtime::spawn_publisher.

• MdnsService::to_service_info(hostname, ipv4) -> Result<ServiceInfo, mdns_sd::Error>
• mdns-sd = "0.11" added — aligned with the workspace pin from
  wifi-densepose-desktop so the lockfile doesn't fork dalek-like
  surfaces.

3 new tests:

• to_service_info_carries_service_type_and_port — locks that
  _ruview-ha._tcp (with or without mdns-sd's trailing-dot
  normalisation) and the control port round-trip through the
  conversion
• to_service_info_propagates_txt_records — every locked TXT
  key from iter 4 (cog_id, mqtt_port, privacy, proto, node_id,
  cog_version) reachable via get_property_val_str on the
  converted ServiceInfo
• to_service_info_does_not_silently_drop_caller_hostname —
  locks the caller-side responsibility for the .local. suffix.
  mdns-sd 0.11 accepts bare hostnames (verified empirically by
  initial test expecting it to reject — it didn't), so the
  wrapper layer must do the trailing-dot dance. Documenting
  that via a named test catches future bumps where the lib
  starts mutating the value.

63/63 cog tests green (60 → 63).

ADR-116 P4 now ⁶⁄₇: ✅ mDNS record-builder, ✅ chain, ✅ JSONL, ✅
file persistence, ✅ Ed25519 signing, ✅ ServiceInfo conversion;
⏳ daemon register + embedded broker.

Co-Authored-By: claude-flow ruv@ruv.net

Docker Image:
ghcr.io/ruvnet/RuView:34eced880f9e39b9ebf043848003df5249770521

Automated release from CI pipeline

Changes:
cog-ha-matter (ADR-116 P4): Ed25519 signing layer for witness chain

Closes the cryptographic-attestation gap in ADR-116 §2.2: every
witness event can now be signed by the Seed's Ed25519 key, with
verify available to any auditor holding the public key.

Module shape (src/witness_signing.rs, kept separate from
witness:: so the hash chain stays usable without dalek linked
in — important for the wasm32 audit-verifier variant we'll ship
later):

• sign_event(event, &SigningKey) -> Signature
• verify_signature(event, &Signature, &VerifyingKey)
  -> Result<(), SignatureVerifyError>
• signature_to_hex / signature_from_hex (128-char lowercase,
  matches the witness hex convention)
• SignatureVerifyError::Invalid
• SignatureParseError::{Length, Hex}

Key design point: signature covers the SAME canonical bytes
witness::hash_event hashes. That means:

1. A signed event commits to the entire event content (kind,
   payload, timestamp, seq, prev_hash) — no field can be
   retroactively changed without invalidating both the hash AND
   the signature.

2. The signature implicitly commits to the event's chain
   position via prev_hash — splicing a signed event into a
   different chain breaks verification.

Adds ed25519-dalek = "2.1" to cog-ha-matter (already in
workspace via ruv-neural, version kept aligned).

9 new tests:

• sign_and_verify_round_trip
• verify_rejects_signature_under_wrong_key
• verify_rejects_tampered_event (mutate payload after sign)
• verify_rejects_event_with_wrong_prev_hash (splice attack)
• signature_hex_round_trip
• signature_from_hex_rejects_wrong_length
• signature_from_hex_rejects_non_hex
• signature_is_deterministic_for_same_event_and_key
  (locks Ed25519's determinism — catches future accidental
  swap to a randomized scheme)
• different_events_produce_different_signatures

60/60 cog tests green (51 → 60). Key management is intentionally
out of scope here — the cog runtime reads the Seed's key from the
Cognitum control plane's secure store (separate concern).

ADR-116 P4 now ⁵⁄₆: ✅ mDNS record, ✅ chain, ✅ JSONL, ✅ file
persistence, ✅ Ed25519 signing; ⏳ responder + embedded broker.

Co-Authored-By: claude-flow ruv@ruv.net

Docker Image:
ghcr.io/ruvnet/RuView:bb154d4e7808622aff34bfea79a1b8d4f3021a61

Automated release from CI pipeline

Changes:
cog-ha-matter (ADR-116 P4): witness file persistence + chain-level verify

Closes the witness audit-bundle surface. The hash-chain primitive

• JSONL serializer from earlier iters only handled one event at a
  time; this lands the file-stream surface that operations actually
  need:

  • WitnessChain::write_jsonl(&mut impl Write) -> io::Result<()>
    — streams every event as one line + \n, empty chain writes
    zero bytes
  • WitnessChain::read_jsonl(impl BufRead) -> Result<WitnessChain, WitnessReadError> — parses event-by-event AND runs chain-level
    verify() on the loaded chain, catching reordered or replayed
    prefixes that per-event hashing alone misses

Critical security property: read_jsonl calls WitnessChain::verify
on the loaded chain BEFORE returning Ok. A forged bundle assembled
from two valid chains pasted together would slip past the
per-event hash check (each event's this_hash is internally
consistent) but the cross-event prev_hash linkage detects the
seam. Test read_jsonl_chain_verify_catches_reordered_events
locks this — swap two events in a 2-event bundle, see Verify error.

Error surface (new WitnessReadError enum):

• Io { line_no, msg } — read failure mid-stream
• Parse { line_no, source } — per-event from_jsonl_line failure
• Verify { source } — chain-level verify failure

line_no is 1-indexed so an auditor sees the same number their
text editor shows. Blank lines tolerated for hand-edited bundles.

7 new tests:

• empty chain writes zero bytes
• write→read round-trips a 3-event chain
• exactly N newlines for N events; trailing newline present
• blank lines / leading newline tolerated
• parse error surfaces with correct line_no
• reordered events caught by chain-level verify
• no-trailing-newline still loads the final event

51/51 cog tests green (44 → 51).

Co-Authored-By: claude-flow ruv@ruv.net

Docker Image:
ghcr.io/ruvnet/RuView:1f5b7b48c9160da6e1b1d62465fd3f542ace73ed

Automated release from CI pipeline

Changes:
cog-ha-matter (ADR-116 P4): pure witness hash-chain primitive

Second P4 unit: an append-only SHA-256 hash chain for tamper-evident
audit logging. ADR-116 §2.2 promised this for healthcare /
education / shared-housing deployments — this lands the primitive
with no key dependency so the next iter can layer Ed25519 signing
on top without touching the chain itself.

Module shape:

• WitnessHash([u8; 32]) newtype + WitnessHash::GENESIS sentinel
• WitnessEvent { seq, prev_hash, ts, kind, payload, this_hash }
  — once committed, every field is immutable
• WitnessChain — append, tip, verify, events
• canonical_bytes — length-prefixed serialization that prevents
  the classic concatenation forgery
  (abc|def ≠ ab|cdef)
• WitnessVerifyError — auditor-friendly error with at: usize
  on every variant (SeqGap, PrevHashMismatch, HashMismatch)

13 new tests covering both happy path and active tampering:

• genesis hash all-zeros
• empty chain tip is genesis
• canonical bytes length-prefixed (anti-forgery)
• canonical bytes start with prev_hash (wire-format lock)
• append links to prev_hash
• seq monotonic from 0
• verify passes on clean chain
• verify catches tampered payload (fires HashMismatch)
• verify catches broken prev_hash link
• verify catches seq gap
• hash hex is 64 lowercase chars
• first event prev_hash == GENESIS (auditor anchor)
• different payloads → different hashes

Hash-chain over Merkle is the right tradeoff for the cog's event
rate (a few/min steady, dozens during a fall) — linear scan is
fine and we save the Merkle complexity for a future tier when
chains span days.

34/34 cog tests green (21 → 34).

ADR-116 P4 row updated to enumerate the three P4 sub-units shipped /
pending: (a) mDNS record-builder ✅, (b) witness hash-chain ✅, (c)
responder + embedded broker + Ed25519 signing pending.

Co-Authored-By: claude-flow ruv@ruv.net

Docker Image:
ghcr.io/ruvnet/RuView:fe913b0ea7b01b15fae931148282a3a8f761def1

Automated release from CI pipeline

Changes:
cog-ha-matter (ADR-116 P4): witness JSONL persistence

Third P4 sub-unit: serialize/parse for the witness hash chain so
audit bundles can be written to disk and replayed.

Wire shape (one record per line, alphabetical field order locked):

{"kind":"...","payload_hex":"...","prev_hash":"...","seq":N,
"this_hash":"...","timestamp_unix_s":N}

Why alphabetical field order: auditors archive whole bundles and
hash them. A rebuild that reordered fields would silently
invalidate every archival hash — locking the order is what makes
the JSONL stable across compiler / serde-json upgrades.

Why hex everywhere: human-greppable, monospace-friendly, no base64
ambiguity, no Vec JSON-array ugliness. Same convention as
ADR-101's binary_sha256.

Critically, from_jsonl_line RE-VERIFIES this_hash against
the canonical bytes derived from the parsed fields. A tampered
bundle fires WitnessParseError::HashMismatch BEFORE the event
loads — the parser is itself an auditor.

New surfaces:

• WitnessHash::from_hex (with structured length/parse errors)
• WitnessEvent::to_jsonl_line, from_jsonl_line
• WitnessParseError enum: Json | MissingField | WrongType |
  HashLength | HashHex | PayloadHex | PayloadLength | HashMismatch
• private hex_encode / hex_decode helpers (no hex crate dep)

10 new tests:

• jsonl round-trip preserves all fields
• jsonl line has no embedded \n / \r (one record per line)
• jsonl field order is alphabetical (byte-stable archival)
• parser rejects tampered payload via HashMismatch
• parser rejects non-hex characters in hash
• parser rejects missing field
• hex encode/decode round-trip across empty / single byte / 0xff /
  UTF-8 / arbitrary bytes
• hex decode rejects odd-length input
• WitnessHash::from_hex round-trip
• WitnessHash::from_hex rejects wrong length

44/44 cog tests green (34 → 44).

ADR-116 P4 row enumerates 4 sub-units now: ✅ mDNS record-builder,
✅ witness chain primitive, ✅ witness JSONL persistence,
⏳ responder + embedded broker + Ed25519 signing.

Co-Authored-By: claude-flow ruv@ruv.net

Docker Image:
ghcr.io/ruvnet/RuView:a3478ea3b50b5a1550dbd8234a575e2978e00183