From 2154b6931cd19181694ef382af5770097233e5e7 Mon Sep 17 00:00:00 2001
From: ruv <ruv@ruv.net>
Date: Mon, 25 May 2026 15:29:43 -0400
Subject: [PATCH] fix(docker): include HA-DISCO MQTT + cog-ha-matter; restores
 #794

Three changes:
1. Dockerfile.rust now builds sensing-server with `--features mqtt`
   (ADR-115 HA-DISCO publisher) and also builds + ships the
   cog-ha-matter binary (ADR-116 Home Assistant + Matter cog with
   mDNS, embedded broker, RuVector-backed thresholds, Ed25519 witness).
   Adds EXPOSE 1883 for the embedded MQTT broker.

2. docker-entrypoint.sh routes `docker run <image> cog-ha-matter ...`
   (or `ha-matter`) to /app/cog-ha-matter, defaulting --sensing-url to
   http://127.0.0.1:3000 so a docker-compose deployment works out of
   the box. The default entrypoint (no first arg) still launches
   sensing-server unchanged.

3. Workflow path filter now also fires on changes to
   v2/crates/wifi-densepose-bfld/** and v2/crates/cog-ha-matter/**
   so future iteration on those crates rebuilds the image.

DOCKERHUB_TOKEN rotated separately (was expired since 2026-05-13,
which is why the last 5 workflow runs failed at the Docker Hub login
step and `latest` on Docker Hub has stayed amd64-only despite #631
being merged). With this commit + rotated token, the next CI run
should land a multi-arch `:latest` with HA-DISCO + cog-ha-matter +
BFLD support.

Reproduced kutayozdur's pull failure on ruv-mac-mini (Apple Silicon,
Darwin arm64) via Tailscale before fixing.

Refs #794, #631, ADR-115, ADR-116, ADR-118.

Co-Authored-By: claude-flow <ruv@ruv.net>
---
 .github/workflows/sensing-server-docker.yml |  2 ++
 docker/Dockerfile.rust                      | 17 +++++++++++++----
 docker/docker-entrypoint.sh                 | 15 +++++++++++++++
 3 files changed, 30 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/sensing-server-docker.yml b/.github/workflows/sensing-server-docker.yml
index 6c74a09d..0a1215c1 100644
--- a/.github/workflows/sensing-server-docker.yml
+++ b/.github/workflows/sensing-server-docker.yml
@@ -26,6 +26,8 @@ on:
       - 'v2/crates/wifi-densepose-signal/**'
       - 'v2/crates/wifi-densepose-vitals/**'
       - 'v2/crates/wifi-densepose-wifiscan/**'
+      - 'v2/crates/wifi-densepose-bfld/**'
+      - 'v2/crates/cog-ha-matter/**'
       - 'v2/Cargo.toml'
       - 'v2/Cargo.lock'
       - 'ui/**'
diff --git a/docker/Dockerfile.rust b/docker/Dockerfile.rust
index 018e8dad..400769c8 100644
--- a/docker/Dockerfile.rust
+++ b/docker/Dockerfile.rust
@@ -14,9 +14,14 @@ COPY v2/crates/ ./crates/
 # Copy vendored RuVector crates
 COPY vendor/ruvector/ /build/vendor/ruvector/
 
-# Build release binary
-RUN cargo build --release -p wifi-densepose-sensing-server 2>&1 \
-    && strip target/release/sensing-server
+# Build release binaries:
+#   - sensing-server with `mqtt` feature so the HA-DISCO MQTT publisher
+#     (ADR-115) is wired in (auto-discovery topics flow to Home Assistant)
+#   - cog-ha-matter, the ADR-116 Cognitum cog that wraps HA-DISCO +
+#     HA-MIND + mDNS + embedded broker for Home Assistant / Matter
+RUN cargo build --release -p wifi-densepose-sensing-server --features mqtt 2>&1 \
+ && cargo build --release -p cog-ha-matter 2>&1 \
+ && strip target/release/sensing-server target/release/cog-ha-matter
 
 # Stage 2: Runtime
 FROM debian:bookworm-slim
@@ -27,8 +32,9 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
 
 WORKDIR /app
 
-# Copy binary
+# Copy binaries
 COPY --from=builder /build/target/release/sensing-server /app/sensing-server
+COPY --from=builder /build/target/release/cog-ha-matter /app/cog-ha-matter
 
 # Copy UI assets
 COPY ui/ /app/ui/
@@ -45,6 +51,7 @@ RUN set -e; \
         test -d "$d" || { echo "FATAL: missing UI directory $d"; exit 1; }; \
     done; \
     test -x /app/sensing-server || { echo "FATAL: /app/sensing-server is not executable"; exit 1; }; \
+    test -x /app/cog-ha-matter || { echo "FATAL: /app/cog-ha-matter is not executable"; exit 1; }; \
     echo "image assets OK"
 
 # Optional bearer-token auth on /api/v1/*: leave unset for LAN-mode (default),
@@ -58,6 +65,8 @@ EXPOSE 3000
 EXPOSE 3001
 # ESP32 UDP
 EXPOSE 5005/udp
+# MQTT broker (cog-ha-matter embedded broker — Home Assistant + Matter)
+EXPOSE 1883
 
 ENV RUST_LOG=info
 
diff --git a/docker/docker-entrypoint.sh b/docker/docker-entrypoint.sh
index ac62cb21..428c2e13 100755
--- a/docker/docker-entrypoint.sh
+++ b/docker/docker-entrypoint.sh
@@ -15,6 +15,21 @@
 #   MODELS_DIR   — directory to scan for .rvf model files (default: data/models)
 set -e
 
+# Route to cog-ha-matter (ADR-116) when invoked as:
+#   docker run <image> cog-ha-matter [--flags]
+# or via the short alias `ha-matter`. Strips the keyword and execs the
+# Home Assistant + Matter cog binary, defaulting --sensing-url to the
+# co-located sensing-server endpoint so docker-compose deployments work
+# out of the box.
+case "${1:-}" in
+    cog-ha-matter|ha-matter)
+        shift
+        exec /app/cog-ha-matter \
+            --sensing-url "${SENSING_URL:-http://127.0.0.1:3000}" \
+            "$@"
+        ;;
+esac
+
 # If the first argument looks like a flag (starts with -), prepend the
 # server binary so users can just pass flags:
 #   docker run <image> --source esp32 --tick-ms 500