* feat(ADR-262 P3): live RuField surface — RuView sensing speaks RuField on /api/field + /ws/field
Wire the P1 `wifi-densepose-rufield` bridge into the live
`wifi-densepose-sensing-server` so the governed sensing cycle emits real
signed RuField `FieldEvent`s on two additive endpoints.
- Cargo: add the `wifi-densepose-rufield` path dep (the single coupling
point, ADR-262 §5.4 — no new RuView-internal coupling).
- New `src/rufield_surface.rs` (kept out of the 8k-line main.rs):
`FieldSurface` holds a dedicated ed25519 `Signer` + a bounded ring of
recent events + the `/ws/field` broadcast topic; `GET /api/field` and
`GET /ws/field` handlers; a standalone `router()` for isolated testing.
- Signer (defers the P2 key decision, ADR-262 §8 Q1): a STANDALONE
dev/sensing key from `WDP_RUFIELD_SIGNING_SEED`, else a deterministic
dev default with a logged WARN. Reusing the `cog-ha-matter` Ed25519
key is the deferred P2 call — P3 does not pre-empt it.
- Tap: at the ESP32 governed-trust cycle (`main.rs` ~5886 observe_cycle
/ ~5938 SensingUpdate build), `emit_rufield_event` joins the cycle's
features/classification/signal_field with the engine's
effective_class/demoted trust state into a `SensingSnapshot` and
surfaces it via the bridge. Existing endpoints (`/ws/sensing` etc.)
are unchanged — purely additive.
- Privacy egress: `network_egress_allowed` is fail-closed for an
unattended live surface — only P1/P2 leave the box; P0 raw and
P3/P4/P5 (identity/biometric/aggregate) are held edge-local. A
`Derived` cycle maps to P4/P5 and never surfaces.
- No-phantom: `emit` drops no-presence cycles (no fabricated events).
Gates (tests/rufield_surface_test.rs, tower::oneshot, 4/0): well-formed
signed event (WifiCsi, P2 not P1, is_fusable, real timestamp); empty
cycle → no phantom; Derived trust never surfaces; mixed stream surfaces
only egress-safe events.
Honesty (ADR-262 §0/§6): real plumbing on a live endpoint, NOT accuracy.
Single-link CSI with its existing caveats (no validated room-coordinate
accuracy); dedicated dev signing key pending the P2 ownership decision;
no accuracy claim.
Co-Authored-By: claude-flow <ruv@ruv.net>
* docs(ADR-262 P3): mark P1+P3 implemented; document /api/field + /ws/field; CHANGELOG
- ADR-262 Status → "P1 + P3 implemented"; add a P3 implementation-status
block (tap site, endpoints, dedicated dev signer deferring the §8 Q1
key decision, fail-closed egress, gates). Keep the honesty framing:
real plumbing on a live endpoint, not accuracy.
- CHANGELOG [Unreleased]: add the ADR-262 P3 entry.
- user-guide: add `/api/field` to the REST table + a "RuField surface
(ADR-262 P3)" section covering `/api/field` + `/ws/field`, the
fail-closed P1/P2-only egress, the WDP_RUFIELD_SIGNING_SEED dev key,
and the no-accuracy honesty note.
Co-Authored-By: claude-flow <ruv@ruv.net>
* ci: checkout submodules everywhere + Dockerfile copies vendor/rufield
Making wifi-densepose-rufield (ADR-262 bridge) a v2 workspace member means
EVERY cargo-on-workspace context must have the vendor/rufield submodule
present (cargo loads all member manifests). P1 only fixed the rust-tests
job; this adds `submodules: recursive` to all workflow checkouts that run
cargo (mqtt-integration was failing on the missing submodule manifest), and
makes Dockerfile.rust COPY vendor/rufield/ to /vendor/rufield (matches the
bridge's ../../../vendor/rufield path-dep under the collapsed Docker layout).
update-submodules.yml left alone (it manages submodules itself).
Co-Authored-By: claude-flow <ruv@ruv.net>
---------
Co-authored-by: ruv <ruvnet@gmail.com>
Definitive root cause of the failing determinism gate: the SHA-256 of
fixed-decimal-rounded features is bit-exact only WITHIN one CPU
microarchitecture. Windows and a second Linux box (ruvultra, identical
numpy 2.4.2/scipy 1.17.1) produce the same hash at every precision
(ca58956c), but the GitHub Azure runner diverges at EVERY precision
including 2 decimals (667eb054) — because pocketfft/BLAS reorders FP
reductions per-microarch and the ~1e-6 *relative* drift lands on
large-magnitude PSD bins as an absolute difference no fixed-decimal grid
can absorb. So no quantization can fix it; the primitive was wrong.
Fix: keep the bit-exact SHA-256 as the strong same-platform proof, and
add a relative-tolerance fallback (np.allclose, rtol=1e-4/atol=1e-6)
against a committed reference feature vector (expected_features_reference.npz,
36,800 float64 values). A run PASSES on either; tolerances sit ~100x over
the observed microarch drift and ~10x under any signal-meaningful change,
so real regressions still fail. Verified locally: bit-exact MATCH -> PASS,
and a corrupted hash falls through to TOLERANCE MATCH -> PASS. CI (Azure,
different hash) now passes via the tolerance path. Removes the temporary
sweep diagnostic.
Co-Authored-By: claude-flow <ruv@ruv.net>
verify.py's HASH_QUANTIZATION_DECIMALS is now overridable via
PROOF_HASH_DECIMALS. Finding: the determinism divergence is NOT
Windows-vs-Linux — Windows and a second Linux box (ruvultra, same
numpy/scipy) produce identical hashes at every precision, including
ca58956c at 6 decimals. Only the GitHub Azure CI runner diverges
(667eb054), i.e. a CPU-microarchitecture pocketfft/BLAS reordering
(the #560 Skylake-vs-Cascade-Lake class).
Temporary diagnostic sweep step prints the CI runner's hash at decimals
6..2 so we can pick the coarsest precision that collapses the
microarch divergence to the common hash. Both the sweep step and the
PROOF_HASH_DECIMALS plumbing are removed/finalized in the follow-up.
Co-Authored-By: claude-flow <ruv@ruv.net>
The determinism gate is path-filtered, but requirements-lock.txt (which
pins the numpy/scipy versions that *produce* the proof hash) was not in
the filter — so a dependency bump could silently drift the hash without
re-running the gate. That's how the 1.26.4 pin diverged from the
published ca58956c hash unnoticed. Add requirements-lock.txt to both the
push and pull_request path filters so this PR (and any future lock
change) actually re-runs verify.py.
Co-Authored-By: claude-flow <ruv@ruv.net>
* fix(verify): quantize features before SHA-256 for cross-platform hash stability (#560)
## The bug
archive/v1/data/proof/verify.py:172 claimed the hash was "platform-
independent for IEEE 754 compliant systems". That claim is empirically
false. scipy.fft's pocketfft uses SIMD vector kernels — AVX2/AVX-512 on
x86_64, NEON on Apple Silicon — that reorder vectorized FP operations
differently per build. IEEE 754 guarantees per-operation determinism,
not associativity under reordering, so two correct platforms produce
values that differ at ULP precision (~1e-14 at our magnitudes of 1-100).
The SHA-256 of features_to_bytes() then explodes that ULP-level
divergence into a totally different hash, which is what bug report #560
caught on macOS arm64:
| Platform | numpy/scipy | sha256 (legacy) |
|----------|-------------|-----------------|
| Windows (Intel AVX-512) | 2.4.2 / 1.17.1 | 78b3fb… |
| ruvultra (Linux x86_64) | 1.26.4 / 1.14.1 | 41dc56… |
| ruv-mac-mini (Apple Silicon NEON) | 2.4.4 / 1.17.1 | 9b5e19… |
## The fix
features_to_bytes() now np.round(.., HASH_QUANTIZATION_DECIMALS=9)s each
array before packing as little-endian f64. That snaps the float bytes
to a single canonical representation across SIMD backends.
The 9-decimal precision is:
- ~5 orders of magnitude above the worst-case ULP drift observed in
probe-fft-platform.py measurements
- Many orders of magnitude below any meaningful signal change (CSI
phase precision is ~1e-3 rad; PSD bins differ by orders of magnitude)
- Conservative — could tighten to 11-12 decimals if needed, but 9
leaves comfortable headroom for future scipy SIMD changes
## Probe-side verification
scripts/probe-fft-platform.py now emits BOTH sha256_raw (unrounded,
legacy) and sha256_quantized (new platform-invariant hash). Running it
on Windows here produced:
sha256_raw = 78b3fb4acb8cc18c3e870f92e29ee98143c7cac4767f2f71b0fc384a82b92f6e
sha256_quantized = a587792c050cf697366b9bef4611050f9dc3af56624915ab2452c3c11362e79a
quantization_decimals = 9
On Linux and macOS arm64 the maintainer should observe the SAME
sha256_quantized value (and a different sha256_raw) — that's the
fix working.
## What this PR does NOT do
The published archive/v1/data/proof/expected_features.sha256
(8c0680d7d285739ea9597715e84959d9c356c87ee3ad35b5f1e69a4ca41151c6) is
not regenerated by this commit. That step needs to run on a canonical
CI platform (likely the Linux x86_64 host used for releases) AFTER this
fix lands. The regeneration command is:
python archive/v1/data/proof/verify.py --generate-hash
After regeneration, every platform running ./verify will produce the
same hash and the proof replay will be honestly cross-platform — which
is what the ADR-028 trust-kill-switch promised.
## Files
- archive/v1/data/proof/verify.py — add HASH_QUANTIZATION_DECIMALS=9
constant, quantize in features_to_bytes(), correct the misleading
"platform-independent" claim in the docstring
- scripts/probe-fft-platform.py — emit both raw and quantized hashes
- scripts/fix-markers.json — RuView#560 marker prevents removing the
np.round() call without explicit intent
- CHANGELOG.md — Fixed entry under [Unreleased] documenting the change
and flagging the expected_features.sha256 regeneration as a follow-up
Co-Authored-By: claude-flow <ruv@ruv.net>
* ci: fix verify-pipeline.yml working-directory from v1/ to archive/v1/
The verify-pipeline workflow's "Run pipeline verification" and "Run
verification twice to confirm determinism" steps use
`working-directory: v1` but `v1/` was archived to `archive/v1/` long
ago. The workflow fails before verify.py even runs:
##[error]An error occurred trying to start process '/usr/bin/bash'
with working directory '/home/runner/work/RuView/RuView/v1'.
No such file or directory
Same v1 → archive/v1 path correction that already shipped for the
./verify wrapper (RuView#559 / PR #590) and the other lint workflows
(RuView#489).
Required to make the determinism check actually run on PR #609 (the
quantize-before-hash work) — the canonical Linux hash needed for
expected_features.sha256 will fall out of the next CI log once this
fix lands.
* fix(proof): regenerate expected_features.sha256 with the quantized canonical hash
The hash on the previous line was the legacy pre-quantization value
(8c0680d7d28573…), which by definition cannot match the quantized
output that this branch's verify.py now produces. Replaced with the
canonical Linux x86_64 hash captured from the CI run on this branch:
d9985569b3ab833c74b7c9254df568bbb144879e2222edb0bcf2605bfd4c155b
Source of truth: run 26005976495 / "Verify Pipeline Determinism (3.11)"
on Ubuntu 24.04, Python 3.11.15, exercising the full verify.py pipeline
on the 100 reference frames in archive/v1/data/proof/sample_csi_data.json.
Reproducibility expectation now changes:
- Linux x86_64 (canonical platform): sha256 = d9985569… ✓ this commit
- macOS arm64 / Apple Silicon NEON: sha256 = d9985569… should match
after quantization
- Windows AMD64 (with pydantic-clean .env): sha256 = d9985569… should match
after quantization
If macOS arm64 still mismatches after this, the quantization decimals
need to be tightened from 9 to 11 or 12 (HASH_QUANTIZATION_DECIMALS
in verify.py); the headroom analysis in the original commit suggests
9 is safe but 9-decimal SIMD drift hasn't been measured in the
full-pipeline output yet (only in the probe).
Closes the maintainer-action-required item on PR #609.
* fix(proof): bump quantization to 6 decimals (9 wasn't enough across Azure CI microarchs)
Two back-to-back Ubuntu 24.04 / Python 3.11 / scipy 1.17 CI runs on
PR #609 landed on different Azure VM microarchitectures and produced
two different SHA-256s even after np.round(.., 9):
Run 1: d9985569b3ab833c74b7c9254df568bbb144879e2222edb0bcf2605bfd4c155b
Run 2: 37c49a1f6b87207fa9fc67f2d6a85c4417dd4a536573605fd175510d1dce7cbe
Same JSON input, same byte count hashed (294,400), same Python version,
same scipy version. The only variable is the underlying CPU pocketfft
SIMD kernel.
The full DSP pipeline (preprocess → biquad bandpass → FFT → PSD →
variance accumulation) amplifies the ~1e-14 raw FFT divergence by
several orders of magnitude — the actual drift at features_to_bytes()
input can reach 1e-7 or worse, which is well within the 1e-9 quantization
window I originally picked.
Bumping to 6 decimals = parts per million. ~6 orders of magnitude
headroom over observed pipeline-amplified ULP drift. Still far below
any meaningful signal change (CSI phase precision ~1e-3 rad). Kept the
probe constant in sync.
Will trigger CI on this branch immediately after push; the new
expected_features.sha256 will be regenerated from whichever microarch
the next CI run lands on, but should be stable across all subsequent
runs at 6-decimal quantization.
* chore(probe): keep HASH_QUANTIZATION_DECIMALS in sync with verify.py (now 6)
* fix(proof): regenerate expected_features.sha256 for 6-decimal quantization
* ci: pin thread count to 1 for proof verification (scipy.fft threading non-determinism)
The Rust port at v2/ has been the primary codebase since the rename
in #427. The Python implementation at v1/ is no longer the active
target; the only load-bearing path is the deterministic proof bundle
at v1/data/proof/ (per ADR-011 / ADR-028 witness verification).
Move the whole Python tree into archive/v1/ and document the policy
in archive/README.md: no new features, bug fixes only when they affect
a still-load-bearing path (currently just the proof), CI continues to
verify the proof on every push and PR.
Path references updated in 26 files via path-pattern sed (only
matches v1/<known-child> patterns, never bare v1 or API URLs like
/api/v1/). Two double-prefix typos (archive/archive/v1/) caught and
hand-fixed in verify-pipeline.yml and ADR-011.
Validated:
- Python proof verify.py imports cleanly at archive/v1/data/proof/
(numpy/scipy still required; CI installs requirements-lock.txt
from archive/v1/ now)
- cargo test --workspace --no-default-features → 1,539 passed,
0 failed, 8 ignored (unaffected by Python tree relocation)
- ESP32-S3 on COM7 untouched (no firmware paths changed)
After-merge: contributors should re-run any local `python v1/...`
commands as `python archive/v1/...` (CLAUDE.md and CHANGELOG already
updated).
- .github/workflows/verify-pipeline.yml: CI that verifies pipeline
determinism and checks for np.random in production code
- ui/components/body-model.js: Three.js 3D human body model with
24 DensePose body parts mapped to 3D geometry
- v1/requirements-lock.txt: Minimal pinned dependencies for verification
- v1/src/api/dependencies.py: Fix mock auth returns with proper errors
- v1/src/core/router_interface.py: Additional mock mode cleanup
- v1/src/services/pose_service.py: Further mock elimination in service
https://claude.ai/code/session_01Ki7pvEZtJDvqJkmyn6B714
dependabot[bot]
rUv
Claude