Commit Graph

2 Commits

Author SHA1 Message Date
ruv 29f23cb97e feat(adr-118/p4.4): rf_signature_hash JSON as "blake3:<hex>" (128/128 GREEN)
Iter 17. Lands the BFLD JSON wire spec format for rf_signature_hash —
a "blake3:" prefix followed by 64 lowercase hex chars. Replaces the
default serde array-of-integers encoding which was unusable for
downstream consumers (HA, Matter, MQTT).

Added (in src/event.rs):
- ser_rf_signature_hash<S>(hash: &Option<[u8;32]>, s) custom serializer
- Field attribute on BfldEvent.rf_signature_hash now uses
  serialize_with = "ser_rf_signature_hash" alongside skip_serializing_if
- nibble_to_hex(u8) -> char private const fn (no `hex` crate dep needed
  for 32 bytes; lowercase hex is trivial)
- Output format: "blake3:deadbeef..." exactly 71 ASCII chars

tests/json_hash_format.rs (5 named tests, all green):
  rf_signature_hash_serializes_as_blake3_prefixed_lowercase_hex
    (expected hex built programmatically via format!("{b:02x}"))
  hex_string_is_always_64_chars_when_present
    (parses the JSON, isolates the hash substring, asserts exact 64
     chars and lowercase-only — catches case-folding regressions)
  hash_field_omitted_entirely_when_none
  end_to_end_emitter_hasher_to_json_emits_blake3_hex_hash
    *** Cross-iter integration test: BfldEmitter::with_signature_hasher
        → SensingInputs.rf_signature_hash = None → emit derives via
        BLAKE3 → BfldEvent::to_json → contains "blake3:" prefix.
        Spans iters 13, 14, 15, 16, 17 in a single assertion. ***
  end_to_end_restricted_class_omits_hash_even_with_hasher_set
    (class 3: even with hasher installed, JSON omits the hash)

ACs progressed:
- BFLD wire spec §6 — rf_signature_hash JSON shape now matches the
  documented format ("blake3:..."); HA / Matter consumers can parse
  it without custom byte-array decoding.
- ADR-118 §1 invariant I3 — visibility: the JSON wire form now
  cryptographically tags the hash with its algorithm prefix, so
  consumers can verify they're not parsing a different (weaker)
  hash that a future PR might accidentally substitute.

Test config:
- cargo test --no-default-features → 72 passed (json_hash_format cfg-out)
- cargo test                       → 128 passed (123 + 5)

Out of scope (next iter target):
- IdentityFeatures typed encoder so callers feeding BfldEmitter don't
  need to know that embedding bytes serve as hasher input.
- Replace the manual hex push with `hex::encode` if/when the workspace
  takes on the `hex` crate dep for other reasons; current path saves
  the dep without sacrificing correctness.

Co-Authored-By: claude-flow <ruv@ruv.net>
2026-05-24 16:08:29 -04:00
ruv 926c66f677 feat(adr-118/p4.1): BfldEvent privacy-gated output + JSON (102/102 GREEN)
Iter 13. Lands ADR-121 §2.1 (output event) + ADR-122 §2.1 (field-gating
policy). BfldEvent collapses the GateAction-driven sensing pipeline
into the canonical wire-format publishable on MQTT.

Added:
- serde (workspace, derive feature, optional) + serde_json (workspace, optional) deps
- New crate feature `serde-json` (default-on; requires `std`)
- src/event.rs (gated on `feature = "std"`):
  * BfldEvent struct with all sensing + identity-derived fields
  * with_privacy_gating(...) constructor that applies field-gating policy:
      class < Restricted (3): identity_risk_score + rf_signature_hash kept
      class >= Restricted (3): both nulled to None
  * apply_privacy_gating() — idempotent in-place masking
  * to_json() -> Result<String, serde_json::Error> (gated on serde-json)
  * Custom ser_privacy_class serializer emits lowercase names
    ("anonymous", "restricted", etc.) per the BFLD JSON spec
  * skip_serializing_if = "Option::is_none" on identity-derived fields so
    privacy-gated events are observationally indistinguishable from
    events that never had the field set
- pub use BfldEvent from lib.rs

tests/event_privacy_gating.rs (9 named tests, all green):
  anonymous_event_retains_identity_risk_and_hash
  restricted_event_strips_identity_fields (class 3 → None)
  apply_privacy_gating_is_idempotent
  event_type_is_always_bfld_update (parameterized over 3 classes)
  json::json_round_trip_emits_type_field_first_or_last_but_present
  json::anonymous_json_includes_identity_fields
  json::restricted_json_omits_identity_fields_entirely
    (asserts the JSON string does NOT contain identity_risk_score or
     rf_signature_hash, verifying skip_serializing_if works as intended)
  json::privacy_class_serializes_to_lowercase_name
  json::zone_id_none_is_omitted_from_json

ACs progressed:
- ADR-121 AC6 (identity_risk score absent at class 3) — structurally
  enforced by with_privacy_gating + skip_serializing_if combination.
- ADR-122 AC1 — JSON shape matches the HA-DISCO publishable event
  contract; identity fields can be reliably stripped by privacy_class.
- ADR-118 AC5 — privacy_mode = engaged maps to PrivacyClass::Restricted
  with no identity fields in the published event.

Test config:
- cargo test --no-default-features → 64 passed (unchanged; event cfg-out)
- cargo test                       → 102 passed (93 + 9)

Out of scope (next iter target):
- Emitter struct that wires GateAction + privacy class + sensing inputs
  into BfldEvent construction (ADR-118 §2.1 pipeline diagram).
- MQTT topic publisher (ADR-122 §2.2) — depends on a runtime (tokio).

Co-Authored-By: claude-flow <ruv@ruv.net>
2026-05-24 15:27:49 -04:00