18 changed files with 170 additions and 2143 deletions
--- a/archive/v1/data/proof/expected_features.sha256
+++ b/archive/v1/data/proof/expected_features.sha256
@ -1 +1 @@
-ca58956c1bbee8c46f1798b3d6b6f1f829aa5db90bba53e07177830eca429199
+667eb054c44ac510342665bf9c93d608868a8ead948ae8774b2796ebce6f8fe7
--- a/archive/v1/src/config/settings.py
+++ b/archive/v1/src/config/settings.py
@ -26,12 +26,7 @@ class Settings(BaseSettings):
    workers: int = Field(default=1, description="Number of worker processes")
    
    # Security settings
-    secret_key: str = Field(
-        default="dev-not-secret-CHANGE-IN-PROD",
-        description="Secret key for JWT tokens (production deployments "
-                    "MUST override via SECRET_KEY env or .env; the dev "
-                    "default is rejected by validate_production_config)",
-    )
+    secret_key: str = Field(..., description="Secret key for JWT tokens")
    jwt_algorithm: str = Field(default="HS256", description="JWT algorithm")
    jwt_expire_hours: int = Field(default=24, description="JWT token expiration in hours")
    allowed_hosts: List[str] = Field(default=["*"], description="Allowed hosts")
@ -163,14 +158,7 @@ class Settings(BaseSettings):
    model_config = SettingsConfigDict(
        env_file=".env",
        env_file_encoding="utf-8",
-        case_sensitive=False,
-        # Tolerate `.env` keys that this Settings model doesn't declare
-        # (e.g., NPM_TOKEN, DOCKER_HUB_TOKEN, PYPI_TOKEN used by other
-        # tooling). Without `extra="ignore"` pydantic-settings 2.x
-        # raises `ValidationError: Extra inputs are not permitted` and
-        # leaks the offending values into the error message — a real
-        # security concern for secret tokens. See verify.py / `./verify`.
-        extra="ignore",
+        case_sensitive=False
    )
    
    @field_validator("environment")
--- a/frontend/src/main.ts
+++ b/frontend/src/main.ts
@ -9,34 +9,3 @@ import './styles/base.css';
 // Register custom elements
 import './components/AppShell.js';
 import './components/StateCard.js';
-import './pages/Dashboard.js';
-import './pages/States.js';
-import './pages/Services.js';
-import './pages/Settings.js';
-
-// Tiny router: the AppShell dispatches `hc-navigate` on every nav
-// click. We swap whichever page element is sitting in its <slot>
-// based on the new active id. Default page on first paint = dashboard.
-const NAV_TO_TAG: Record<string, string> = {
-    dashboard: 'hc-dashboard',
-    states: 'hc-states',
-    services: 'hc-services',
-    settings: 'hc-settings',
-};
-
-function mountPage(shell: Element, tag: string): void {
-    // Remove any existing page (everything that isn't itself the shell).
-    Array.from(shell.children).forEach((c) => c.remove());
-    shell.appendChild(document.createElement(tag));
-}
-
-window.addEventListener('DOMContentLoaded', () => {
-    const shell = document.querySelector('hc-app-shell');
-    if (!shell) return;
-    mountPage(shell, 'hc-dashboard');
-    shell.addEventListener('hc-navigate', (ev) => {
-        const id = (ev as CustomEvent<{ id: string }>).detail?.id;
-        const tag = id ? NAV_TO_TAG[id] : undefined;
-        if (tag) mountPage(shell, tag);
-    });
-});
--- a/frontend/src/pages/Dashboard.ts
+++ b/frontend/src/pages/Dashboard.ts
@ -1,143 +0,0 @@
-/**
- * Dashboard page — fetches HOMECORE state + config from the backend and
- * populates the `<hc-app-shell>` slot with a grid of `<hc-state-card>`.
- *
- * Auth: reads bearer from `localStorage["homecore.token"]`, the
- * `?token=` query string, or `HOMECORE_TOKEN` `<meta>` tag — in that
- * order. Falls back to the literal "dev-token" in DEV-mode backends
- * (any non-empty bearer is accepted when HOMECORE_TOKENS is unset).
- */
-
-import { LitElement, html, css } from 'lit';
-import { customElement, state } from 'lit/decorators.js';
-
-import { HomecoreClient } from '../api/client.js';
-import type { ApiConfig, StateView } from '../api/types.js';
-
-function resolveToken(): string {
-    if (typeof localStorage !== 'undefined') {
-        const stored = localStorage.getItem('homecore.token');
-        if (stored) return stored;
-    }
-    const url = new URL(window.location.href);
-    const qs = url.searchParams.get('token');
-    if (qs) return qs;
-    const meta = document.querySelector<HTMLMetaElement>('meta[name="homecore-token"]');
-    if (meta?.content) return meta.content;
-    return 'dev-token';
-}
-
-@customElement('hc-dashboard')
-export class Dashboard extends LitElement {
-    static styles = css`
-        :host {
-            display: block;
-            padding: 24px;
-            color: var(--hc-fg, #e6e9ec);
-            font-family: var(--hc-font-sans, 'Outfit', system-ui, sans-serif);
-        }
-        .meta {
-            display: flex;
-            gap: 16px;
-            flex-wrap: wrap;
-            color: var(--hc-fg-dim, #8a93a0);
-            font-size: 14px;
-            margin-bottom: 16px;
-        }
-        .meta strong { color: var(--hc-fg, #e6e9ec); }
-        .grid {
-            display: grid;
-            grid-template-columns: repeat(auto-fill, minmax(260px, 1fr));
-            gap: 16px;
-        }
-        .empty,
-        .err {
-            padding: 24px;
-            border: 1px dashed var(--hc-border, #2a323e);
-            border-radius: 8px;
-            text-align: center;
-            color: var(--hc-fg-dim, #8a93a0);
-        }
-        .err {
-            border-color: #b35a5a;
-            color: #f0c0c0;
-            text-align: left;
-            font-family: var(--hc-font-mono, 'JetBrains Mono', monospace);
-            font-size: 13px;
-            white-space: pre-wrap;
-        }
-    `;
-
-    @state() private states: StateView[] = [];
-    @state() private config: ApiConfig | null = null;
-    @state() private error: string | null = null;
-    @state() private loading = true;
-
-    private client = new HomecoreClient({ token: resolveToken() });
-    private pollTimer: number | undefined;
-
-    connectedCallback(): void {
-        super.connectedCallback();
-        void this.refresh();
-        this.pollTimer = window.setInterval(() => void this.refresh(), 5000);
-    }
-
-    disconnectedCallback(): void {
-        if (this.pollTimer !== undefined) window.clearInterval(this.pollTimer);
-        super.disconnectedCallback();
-    }
-
-    private async refresh(): Promise<void> {
-        try {
-            const [cfg, states] = await Promise.all([
-                this.client.getConfig(),
-                this.client.getStates(),
-            ]);
-            this.config = cfg;
-            this.states = states;
-            this.error = null;
-        } catch (e) {
-            this.error = e instanceof Error ? e.message : String(e);
-        } finally {
-            this.loading = false;
-        }
-    }
-
-    render() {
-        if (this.error) {
-            return html`<div class="err">backend unreachable — ${this.error}\n\n
-                hint: make sure homecore-server is running on :8123 and that
-                the token in localStorage["homecore.token"] is accepted.
-            </div>`;
-        }
-        if (this.loading) {
-            return html`<div class="empty">loading HOMECORE state…</div>`;
-        }
-        const v = this.config?.version ?? '?';
-        const loc = this.config?.location_name ?? 'Home';
-        return html`
-            <div class="meta">
-                <span><strong>${loc}</strong></span>
-                <span>HOMECORE v<strong>${v}</strong></span>
-                <span><strong>${this.states.length}</strong> entities</span>
-            </div>
-            ${this.states.length === 0
-                ? html`<div class="empty">
-                      No entities registered yet. Run
-                      <code>bash scripts/homecore-seed.sh</code> to populate
-                      ~10 demo entities, or connect a plugin / integration.
-                  </div>`
-                : html`<div class="grid">
-                      ${this.states.map(
-                          (s) => html`<hc-state-card .state=${s}></hc-state-card>`
-                      )}
-                  </div>`}
-        `;
-    }
-}
-
-declare global {
-    interface HTMLElementTagNameMap {
-        'hc-dashboard': Dashboard;
-    }
-}
--- a/frontend/src/pages/Services.ts
+++ b/frontend/src/pages/Services.ts
@ -1,86 +0,0 @@
-/**
- * Services page — lists every registered service grouped by domain.
- * Reads from `/api/services` (HA-wire-compat).
- */
-
-import { LitElement, html, css } from 'lit';
-import { customElement, state } from 'lit/decorators.js';
-
-import { HomecoreClient } from '../api/client.js';
-import type { ServiceDomainView } from '../api/types.js';
-
-function resolveToken(): string {
-    if (typeof localStorage !== 'undefined') {
-        const stored = localStorage.getItem('homecore.token');
-        if (stored) return stored;
-    }
-    const qs = new URL(window.location.href).searchParams.get('token');
-    return qs ?? 'dev-token';
-}
-
-@customElement('hc-services')
-export class ServicesPage extends LitElement {
-    static styles = css`
-        :host { display: block; padding: 24px; color: var(--hc-text, #e6eaee); font-family: var(--hc-font-sans, 'Outfit', system-ui, sans-serif); }
-        h1 { font-size: 18px; font-weight: 600; margin: 0 0 16px 0; }
-        .domain { background: hsl(220 20% 10%); border: 1px solid var(--hc-border, #2a323e); border-radius: 8px; margin-bottom: 12px; padding: 14px 16px; }
-        .domain h2 { font-size: 14px; font-weight: 600; margin: 0 0 8px 0; color: var(--hc-primary, #19d4e5); font-family: var(--hc-font-mono, 'JetBrains Mono', monospace); }
-        ul { list-style: none; padding: 0; margin: 0; display: flex; flex-wrap: wrap; gap: 6px; }
-        li { background: hsl(220 25% 14%); padding: 4px 10px; border-radius: 4px; font-family: var(--hc-font-mono, 'JetBrains Mono', monospace); font-size: 12px; color: var(--hc-text-muted, #7b899d); }
-        .empty { padding: 24px; border: 1px dashed var(--hc-border, #2a323e); border-radius: 8px; text-align: center; color: var(--hc-text-muted, #7b899d); }
-        .err { padding: 16px; border: 1px dashed #b35a5a; border-radius: 8px; color: #f0c0c0; font-size: 13px; }
-    `;
-
-    @state() private domains: ServiceDomainView[] = [];
-    @state() private error: string | null = null;
-    @state() private loading = true;
-
-    private client = new HomecoreClient({ token: resolveToken() });
-
-    connectedCallback(): void {
-        super.connectedCallback();
-        void this.refresh();
-    }
-
-    private async refresh(): Promise<void> {
-        try {
-            const r = await fetch('/api/services', { headers: { 'Authorization': `Bearer ${resolveToken()}` } });
-            if (!r.ok) throw new Error(`/api/services -> HTTP ${r.status}`);
-            this.domains = await r.json();
-            this.error = null;
-        } catch (e) {
-            this.error = e instanceof Error ? e.message : String(e);
-        } finally {
-            this.loading = false;
-        }
-        void this.client;  // suppress unused warning while keeping the import shape consistent
-    }
-
-    render() {
-        if (this.error) return html`<div class="err">backend unreachable — ${this.error}</div>`;
-        if (this.loading) return html`<div>loading services…</div>`;
-        if (this.domains.length === 0) {
-            return html`
-                <h1>Services (0 domains)</h1>
-                <div class="empty">
-                    No services registered. Services are registered by plugins
-                    (Wasmtime or InProcess) or by integrations that call
-                    <code>services::register()</code> on boot.
-                </div>
-            `;
-        }
-        return html`
-            <h1>Services (${this.domains.length} domain${this.domains.length === 1 ? '' : 's'})</h1>
-            ${this.domains.map(d => html`
-                <div class="domain">
-                    <h2>${d.domain}</h2>
-                    <ul>
-                        ${Object.keys(d.services).map(name => html`<li>${name}</li>`)}
-                    </ul>
-                </div>
-            `)}
-        `;
-    }
-}
-
-declare global { interface HTMLElementTagNameMap { 'hc-services': ServicesPage; } }
--- a/frontend/src/pages/Settings.ts
+++ b/frontend/src/pages/Settings.ts
@ -1,94 +0,0 @@
-/**
- * Settings page — backend config + bearer-token editor (localStorage).
- */
-
-import { LitElement, html, css } from 'lit';
-import { customElement, state } from 'lit/decorators.js';
-
-import { HomecoreClient } from '../api/client.js';
-import type { ApiConfig } from '../api/types.js';
-
-function resolveToken(): string {
-    if (typeof localStorage !== 'undefined') {
-        const stored = localStorage.getItem('homecore.token');
-        if (stored) return stored;
-    }
-    const qs = new URL(window.location.href).searchParams.get('token');
-    return qs ?? 'dev-token';
-}
-
-@customElement('hc-settings')
-export class SettingsPage extends LitElement {
-    static styles = css`
-        :host { display: block; padding: 24px; color: var(--hc-text, #e6eaee); font-family: var(--hc-font-sans, 'Outfit', system-ui, sans-serif); }
-        h1 { font-size: 18px; font-weight: 600; margin: 0 0 16px 0; }
-        section { background: hsl(220 20% 10%); border: 1px solid var(--hc-border, #2a323e); border-radius: 8px; padding: 16px; margin-bottom: 16px; }
-        h2 { font-size: 14px; font-weight: 600; margin: 0 0 12px 0; color: var(--hc-primary, #19d4e5); }
-        dl { display: grid; grid-template-columns: max-content 1fr; gap: 6px 18px; margin: 0; font-size: 13px; font-family: var(--hc-font-mono, 'JetBrains Mono', monospace); }
-        dt { color: var(--hc-text-muted, #7b899d); }
-        dd { margin: 0; }
-        label { display: block; margin-bottom: 6px; font-size: 13px; color: var(--hc-text-muted, #7b899d); }
-        input { width: 100%; box-sizing: border-box; padding: 8px 12px; background: hsl(220 25% 14%); border: 1px solid var(--hc-border, #2a323e); border-radius: 6px; color: var(--hc-text, #e6eaee); font-family: var(--hc-font-mono, 'JetBrains Mono', monospace); font-size: 13px; }
-        button { margin-top: 10px; padding: 8px 16px; background: var(--hc-primary, #19d4e5); color: var(--hc-primary-fg, #0b0e13); border: none; border-radius: 6px; font-weight: 600; font-size: 13px; cursor: pointer; font-family: var(--hc-font-sans, 'Outfit', system-ui, sans-serif); }
-        button:hover { background: hsl(185 80% 55%); }
-        .toast { font-size: 12px; color: var(--hc-primary, #19d4e5); margin-top: 8px; }
-        .err { padding: 16px; border: 1px dashed #b35a5a; border-radius: 8px; color: #f0c0c0; font-size: 13px; }
-    `;
-
-    @state() private config: ApiConfig | null = null;
-    @state() private error: string | null = null;
-    @state() private token = resolveToken();
-    @state() private savedAt = 0;
-
-    private client = new HomecoreClient({ token: resolveToken() });
-
-    connectedCallback(): void {
-        super.connectedCallback();
-        void this.refresh();
-    }
-
-    private async refresh(): Promise<void> {
-        try {
-            this.config = await this.client.getConfig();
-            this.error = null;
-        } catch (e) {
-            this.error = e instanceof Error ? e.message : String(e);
-        }
-    }
-
-    private saveToken() {
-        localStorage.setItem('homecore.token', this.token);
-        this.savedAt = Date.now();
-        this.client = new HomecoreClient({ token: this.token });
-        void this.refresh();
-    }
-
-    render() {
-        return html`
-            <h1>Settings</h1>
-            <section>
-                <h2>backend</h2>
-                ${this.error
-                    ? html`<div class="err">unreachable — ${this.error}</div>`
-                    : this.config
-                    ? html`<dl>
-                          <dt>location</dt><dd>${this.config.location_name}</dd>
-                          <dt>version</dt><dd>${this.config.version}</dd>
-                          <dt>state</dt><dd>${this.config.state}</dd>
-                          <dt>components</dt><dd>${this.config.components.join(', ')}</dd>
-                      </dl>`
-                    : html`loading…`}
-            </section>
-            <section>
-                <h2>auth — bearer token</h2>
-                <label for="tok">stored at localStorage["homecore.token"]; DEV mode accepts any non-empty value</label>
-                <input id="tok" type="password" .value=${this.token}
-                       @input=${(e: Event) => (this.token = (e.target as HTMLInputElement).value)} />
-                <button @click=${this.saveToken}>save & reload backend</button>
-                ${this.savedAt > 0 ? html`<div class="toast">saved at ${new Date(this.savedAt).toLocaleTimeString()}</div>` : ''}
-            </section>
-        `;
-    }
-}
-
-declare global { interface HTMLElementTagNameMap { 'hc-settings': SettingsPage; } }
--- a/frontend/src/pages/States.ts
+++ b/frontend/src/pages/States.ts
@ -1,85 +0,0 @@
-/**
- * States page — full table view of every entity in the state machine.
- * Mirrors Home Assistant's `/developer-tools/state` view (read-only).
- */
-
-import { LitElement, html, css } from 'lit';
-import { customElement, state } from 'lit/decorators.js';
-
-import { HomecoreClient } from '../api/client.js';
-import type { StateView } from '../api/types.js';
-
-function resolveToken(): string {
-    if (typeof localStorage !== 'undefined') {
-        const stored = localStorage.getItem('homecore.token');
-        if (stored) return stored;
-    }
-    const qs = new URL(window.location.href).searchParams.get('token');
-    return qs ?? 'dev-token';
-}
-
-@customElement('hc-states')
-export class StatesPage extends LitElement {
-    static styles = css`
-        :host { display: block; padding: 24px; color: var(--hc-text, #e6eaee); font-family: var(--hc-font-sans, 'Outfit', system-ui, sans-serif); }
-        h1 { font-size: 18px; font-weight: 600; margin: 0 0 16px 0; }
-        table { width: 100%; border-collapse: collapse; font-size: 13px; }
-        th { text-align: left; padding: 10px 12px; border-bottom: 1px solid var(--hc-border, #2a323e); color: var(--hc-text-muted, #7b899d); font-weight: 500; }
-        td { padding: 10px 12px; border-bottom: 1px solid hsl(220 15% 14%); font-family: var(--hc-font-mono, 'JetBrains Mono', monospace); }
-        td.attrs { color: var(--hc-text-muted, #7b899d); font-size: 12px; max-width: 380px; overflow: hidden; text-overflow: ellipsis; white-space: nowrap; }
-        tr:hover td { background: hsl(220 20% 10%); }
-        .state { color: var(--hc-primary, #19d4e5); }
-        .err { padding: 16px; border: 1px dashed #b35a5a; border-radius: 8px; color: #f0c0c0; font-family: var(--hc-font-mono, 'JetBrains Mono', monospace); font-size: 13px; }
-    `;
-
-    @state() private states: StateView[] = [];
-    @state() private error: string | null = null;
-    @state() private loading = true;
-
-    private client = new HomecoreClient({ token: resolveToken() });
-    private timer?: number;
-
-    connectedCallback(): void {
-        super.connectedCallback();
-        void this.refresh();
-        this.timer = window.setInterval(() => void this.refresh(), 5000);
-    }
-    disconnectedCallback(): void {
-        if (this.timer !== undefined) window.clearInterval(this.timer);
-        super.disconnectedCallback();
-    }
-
-    private async refresh(): Promise<void> {
-        try {
-            this.states = await this.client.getStates();
-            this.error = null;
-        } catch (e) {
-            this.error = e instanceof Error ? e.message : String(e);
-        } finally {
-            this.loading = false;
-        }
-    }
-
-    render() {
-        if (this.error) return html`<div class="err">backend unreachable — ${this.error}</div>`;
-        if (this.loading) return html`<div>loading…</div>`;
-        return html`
-            <h1>States (${this.states.length})</h1>
-            <table>
-                <thead><tr><th>entity_id</th><th>state</th><th>last_changed</th><th>attributes</th></tr></thead>
-                <tbody>
-                    ${this.states.map(s => html`
-                        <tr>
-                            <td>${s.entity_id}</td>
-                            <td class="state">${s.state}</td>
-                            <td>${s.last_changed.replace('T', ' ').replace(/\..*$/, '')}</td>
-                            <td class="attrs" title=${JSON.stringify(s.attributes)}>${JSON.stringify(s.attributes)}</td>
-                        </tr>
-                    `)}
-                </tbody>
-            </table>
-        `;
-    }
-}
-
-declare global { interface HTMLElementTagNameMap { 'hc-states': StatesPage; } }
--- a/scripts/homecore-seed.sh
+++ b/scripts/homecore-seed.sh
@ -1,83 +0,0 @@
-#!/usr/bin/env bash
-#
-# homecore-seed.sh — populate the empty HOMECORE state machine with a
-# representative cross-section of entities so the web UI renders
-# useful content right after `homecore-server` boots.
-#
-# When homecore-server starts with no plugins loaded and no
-# integrations enabled, its state machine is empty by design — the
-# web UI shows "No entities registered yet". This script POSTs ~10
-# real-looking entities via the HA-compat REST surface.
-#
-# Where the numbers come from:
-#   - sensor.living_room_presence / _motion / bedroom_breathing_rate /
-#     bedroom_heart_rate are pulled live from the RuView sensing-server
-#     (RUVIEW_URL/api/v1/vitals/12/latest) when reachable.
-#   - Other entities use plausible literals.
-#
-# Usage:
-#   bash scripts/homecore-seed.sh
-#   HOMECORE_URL=http://localhost:8123 HOMECORE_TOKEN=dev-token bash scripts/homecore-seed.sh
-#   RUVIEW_URL=http://ruv-mac-mini:3000 bash scripts/homecore-seed.sh  # live numbers
-#
-# Idempotent: re-running just updates the values.
-
-set -euo pipefail
-
-URL="${HOMECORE_URL:-http://127.0.0.1:8123}"
-TOKEN="${HOMECORE_TOKEN:-dev-token}"
-RUVIEW_URL="${RUVIEW_URL:-http://localhost:3000}"
-
-post() {
-    local entity_id="$1"; shift
-    local body="$1"; shift
-    curl -fsS -X POST "$URL/api/states/$entity_id" \
-        -H "Authorization: Bearer $TOKEN" \
-        -H "Content-Type: application/json" \
-        -d "$body" >/dev/null && echo "  set $entity_id"
-}
-
-# Pull a live snapshot from the RuView sensing-server (optional).
-ruview_snapshot="{}"
-if curl -fsS --max-time 2 "$RUVIEW_URL/api/v1/vitals/12/latest" -o /tmp/ruview-vitals.json 2>/dev/null; then
-    ruview_snapshot=$(cat /tmp/ruview-vitals.json)
-    echo "Pulled live RuView snapshot from $RUVIEW_URL"
-else
-    echo "RuView snapshot unreachable — using defaults (set RUVIEW_URL to your sensing-server to pull live values)"
-fi
-
-get_num() {
-    local key="$1" default="$2"
-    echo "$ruview_snapshot" | python3 -c "
-import sys, json
-try:
-    d = json.loads(sys.stdin.read())
-    v = d.get('$key')
-    print(v if v is not None else '$default')
-except Exception:
-    print('$default')
-" 2>/dev/null || echo "$default"
-}
-
-presence=$(get_num presence false)
-breathing=$(get_num breathing_rate_bpm 14.5)
-heart_rate=$(get_num heartrate_bpm 68.0)
-motion=$(get_num motion 0.0)
-
-echo
-echo "Seeding HOMECORE at $URL ..."
-
-post sensor.living_room_presence "{\"state\": \"$presence\", \"attributes\": {\"friendly_name\": \"Living Room Presence\", \"device_class\": \"occupancy\", \"source\": \"RuView ESP32-C6 BFLD\"}}"
-post sensor.living_room_motion_score "{\"state\": \"$motion\", \"attributes\": {\"friendly_name\": \"Living Room Motion Score\", \"unit_of_measurement\": \"score\", \"icon\": \"mdi:motion-sensor\"}}"
-post sensor.bedroom_breathing_rate "{\"state\": \"$breathing\", \"attributes\": {\"friendly_name\": \"Bedroom Breathing Rate\", \"unit_of_measurement\": \"BPM\", \"device_class\": \"frequency\", \"source\": \"Seeed MR60BHA2 mmWave\"}}"
-post sensor.bedroom_heart_rate "{\"state\": \"$heart_rate\", \"attributes\": {\"friendly_name\": \"Bedroom Heart Rate\", \"unit_of_measurement\": \"BPM\", \"device_class\": \"frequency\", \"source\": \"Seeed MR60BHA2 mmWave\"}}"
-post light.kitchen_ceiling '{"state": "on", "attributes": {"friendly_name": "Kitchen Ceiling", "brightness": 230, "color_temp_kelvin": 4000, "supported_color_modes": ["color_temp"]}}'
-post light.living_room_lamp '{"state": "off", "attributes": {"friendly_name": "Living Room Lamp", "brightness": 0, "supported_color_modes": ["brightness"]}}'
-post switch.coffee_maker '{"state": "off", "attributes": {"friendly_name": "Coffee Maker", "device_class": "outlet"}}'
-post binary_sensor.front_door '{"state": "off", "attributes": {"friendly_name": "Front Door", "device_class": "door"}}'
-post climate.thermostat '{"state": "heat", "attributes": {"friendly_name": "Thermostat", "current_temperature": 21.5, "temperature": 22.0, "hvac_modes": ["off", "heat", "cool", "auto"], "supported_features": 387}}'
-post sensor.air_quality_index '{"state": "42", "attributes": {"friendly_name": "Air Quality Index", "unit_of_measurement": "AQI", "device_class": "aqi"}}'
-
-echo
-echo "Done. The HOMECORE web UI at http://localhost:5173 should now"
-echo "show 10 entities. The Dashboard auto-refreshes every 5 s."
--- a/v2/crates/homecore-api/README.md
+++ b/v2/crates/homecore-api/README.md
@ -1,134 +0,0 @@
-# homecore-api
-
-Home Assistant-compatible REST + WebSocket API for HOMECORE state and events.
-
-[![Crates.io](https://img.shields.io/crates/v/homecore-api.svg)](https://crates.io/crates/homecore-api)
-![License](https://img.shields.io/badge/license-MIT-blue.svg)
-![MSRV: 1.89+](https://img.shields.io/badge/MSRV-1.89%2B-purple.svg)
-[![Tests](https://img.shields.io/badge/tests-18%20passing-brightgreen.svg)](https://github.com/ruvnet/RuView)
-[![ADR-130](https://img.shields.io/badge/ADR-130-orange.svg)](../../docs/adr/ADR-130-homecore-api-rest-websocket.md)
-
-Wire-compatible Axum REST + WebSocket server that mirrors Home Assistant's `/api/` routes. Ships a standalone binary (`homecore-api-server`) and a library for embedding in other applications.
-
-## What this crate does
-
-`homecore-api` provides the HTTP boundary layer for HOMECORE. It wires Axum routes to the `homecore` state machine, exposing:
-
- **GET `/api/states`** — list all entity states
- **GET `/api/states/:entity_id`** — fetch a single entity's state + attributes
- **POST `/api/states/:entity_id`** — update an entity's state and attributes
- **GET `/api/services`** — list registered services
- **POST `/api/services/:domain/:service`** — call a service with arguments
- **GET `/api/websocket`** — upgrade to WebSocket for real-time state + event streaming
- **Bearer token authentication** — validates long-lived access tokens from a token store
-
-All routes return HA-compatible JSON and validate `Authorization: Bearer <token>` headers (except the WS upgrade, which validates the token as a query param for browser compatibility).
-
-## Features
-
- **HA-compatible JSON schema** — `/api/states` returns `[{"entity_id": "...", "state": "...", "attributes": {...}}]` matching HA exactly
- **REST CRUD operations** — GET, POST, DELETE entities with automatic `last_updated` and `last_changed` timestamps
- **WebSocket streaming** — subscribe to state changes in real-time with topic-based filtering (`type:state_changed`, etc.)
- **Explicit CORS allowlist** — configurable via `HOMECORE_CORS_ORIGINS` env var (audit fix HC-05); defaults to `localhost:5173` (frontend dev), `localhost:8123` (HA port)
- **Bearer token validation** — long-lived tokens stored in memory (upgrade to Redis/SQLite in P2)
- **Error responses as JSON** — 400/401/404/500 with `{"error": "...", "message": "..."}` envelopes
- **Request tracing** — tower-http TraceLayer logs all requests (configurable via `RUST_LOG`)
-
-## Capabilities
-
-| Capability | Method | Endpoint | Returns |
-|------------|--------|----------|---------|
-| List all entities | GET | `/api/states` | `[{entity_id, state, attributes, last_changed, ...}]` |
-| Get single entity | GET | `/api/states/:entity_id` | `{entity_id, state, attributes, last_changed, ...}` or 404 |
-| Set entity state | POST | `/api/states/:entity_id` | updated state object |
-| Delete entity | DELETE | `/api/states/:entity_id` | 204 No Content |
-| List services | GET | `/api/services` | `{domain: {service: {description, fields, ...}}}` |
-| Call service | POST | `/api/services/:domain/:service` | service result (P2) |
-| Stream state changes | WebSocket | `/api/websocket` | `{type, event}` JSON messages |
-| Validate token | Bearer auth | all routes | 401 Unauthorized if token invalid |
-
-## Comparison to Home Assistant
-
-| Aspect | Home Assistant | homecore-api |
-|--------|----------------|--------------|
-| Framework | aiohttp | Axum |
-| Server type | Single-threaded async (Python asyncio) | Multi-threaded async (Tokio) |
-| JSON schema | HA's `/api/states` format | Wire-compatible (identical) |
-| CORS | Permissive (all origins allowed) | Explicit allowlist (audit fix HC-05) |
-| Authentication | long_lived_access_tokens (SQLite) | LongLivedTokenStore (in-memory P1) |
-| WebSocket codec | HA's message format + types dict | JSON messages with `type`/`event` fields (P2) |
-| Service calling | async handler dispatch | ServiceRegistry stub (P2) |
-| Error handling | Python exception → JSON 500 | Rust Result + thiserror → JSON with details |
-
-## Performance
-
- **REST endpoint latency**: p50 < 1 ms; p99 < 10 ms (on 24-core machine, 1,000 entities)
- **WebSocket connection count**: Tokio can handle 10,000+ concurrent connections per machine
- **Memory overhead**: ~1 KB per idle WebSocket connection (Tokio task + buffer)
- **No per-crate benchmarks yet** — a follow-up issue tracks baseline measurements
-
-## Usage
-
-```rust
-use homecore_api::{router, SharedState};
-use homecore::HomeCore;
-use axum::Server;
-use std::net::SocketAddr;
-
-#[tokio::main]
-async fn main() {
-    // Create the shared HOMECORE runtime
-    let homecore = HomeCore::new();
-    let state = SharedState::new(homecore);
-
-    // Build the Axum router
-    let app = router(state);
-
-    // Bind to 8123
-    let addr = SocketAddr::from(([127, 0, 0, 1], 8123));
-    Server::bind(&addr)
-        .serve(app.into_make_service_with_connect_info::<SocketAddr>())
-        .await
-        .expect("server error");
-}
-```
-
-Or run the standalone binary:
-
-```bash
-cargo run -p homecore-api --bin homecore-api-server
-# Listens on http://localhost:8123
-```
-
-Test it:
-
-```bash
-# List states
-curl -H "Authorization: Bearer longlivedtoken" \
-  http://localhost:8123/api/states
-
-# Set a light to "on"
-curl -X POST \
-  -H "Authorization: Bearer longlivedtoken" \
-  -H "Content-Type: application/json" \
-  -d '{"state":"on","attributes":{"brightness":200}}' \
-  http://localhost:8123/api/states/light.kitchen
-```
-
-## Relation to other HOMECORE crates
-
-```
-homecore-api (REST + WebSocket server)
-├─ homecore (state machine + event bus)
-├─ homecore-frontend (Lit web UI consuming /api endpoints)
-├─ homecore-automation (services called via POST /api/services/:domain/:service)
-├─ homecore-assist (intent → service call bridge)
-└─ homecore-migrate (imports HA tokens + config entities)
-```
-
-## References
-
- [ADR-130: HOMECORE REST + WebSocket API](../../docs/adr/ADR-130-homecore-api-rest-websocket.md)
- [ADR-126: HOMECORE Home Assistant Port (master)](../../docs/adr/ADR-126-homecore-home-assistant-port.md)
- [homecore-api-server binary](src/bin/server.rs)
- [README — wifi-densepose](../../../README.md)
--- a/v2/crates/homecore-assist/README.md
+++ b/v2/crates/homecore-assist/README.md
@ -1,147 +0,0 @@
-# homecore-assist
-
-Voice-activated intent recognition and execution pipeline for HOMECORE with Ruflo agent bridge (P2).
-
-[![Crates.io](https://img.shields.io/crates/v/homecore-assist.svg)](https://crates.io/crates/homecore-assist)
-![License](https://img.shields.io/badge/license-MIT-blue.svg)
-![MSRV: 1.89+](https://img.shields.io/badge/MSRV-1.89%2B-purple.svg)
-[![Tests](https://img.shields.io/badge/tests-23%20passing-brightgreen.svg)](https://github.com/ruvnet/RuView)
-[![ADR-133](https://img.shields.io/badge/ADR-133-orange.svg)](../../docs/adr/ADR-133-homecore-assist-ruflo.md)
-
-**P1 scaffold**: intent recognition via regex patterns, 5 built-in intent handlers (turn on/off, set brightness, cancel), and Ruflo runner trait surface. Real `tokio::process` subprocess integration (P2) allows orchestration with Ruflo agents for complex multi-step actions.
-
-## What this crate does
-
-`homecore-assist` is the voice/NLU gateway for HOMECORE. It takes natural language utterances, recognizes which intent they represent, and executes the appropriate action. It provides:
-
- **IntentRecognizer trait** — abstraction for matching utterances to intents
- **RegexIntentRecognizer** — P1 built-in; uses regex patterns (HA classic style)
- **IntentHandler trait** — abstraction for handling recognized intents
- **5 built-in handlers** — `HassTurnOn`, `HassTurnOff`, `HassLightSet`, `HassNevermind`, `HassCancelAll` (mirrors HA's classic intents)
- **RufloRunner trait** — abstraction for delegating complex actions to Ruflo agents
- **NoopRunner** — P1 stub; real `tokio::process` subprocess integration in P2
- **AssistPipeline** — wires utterance → recognizer → handler → response
-
-Each component is trait-based so recognizers can be swapped (regex in P1, semantic embeddings in P2) without changing the pipeline.
-
-## Features
-
- **Regex pattern recognition** — utterance matching via compiled regex (P1)
- **5 built-in intents** — Turn On, Turn Off, Set Brightness, Nevermind, Cancel All
- **Intent entities + slots** — recognized patterns capture entity names and parameters (e.g., "turn on light.kitchen" → entity: light.kitchen)
- **Intent responses** — structured response with optional text, card (tile data), and conversation context
- **Ruflo agent bridge** — submit complex intents to Ruflo agents for multi-step workflows (P2 subprocess)
- **Trait-based recognizers** — pluggable: `RegexIntentRecognizer` (P1), `SemanticIntentRecognizer` (P2, ruvector embeddings)
- **Trait-based handlers** — extensible: built-in HA-mirroring handlers + custom handlers
- **No external STT/TTS** — this module handles NLU only; STT/TTS via homecore-api or external service
-
-## Capabilities
-
-| Capability | Type | Method | Notes |
-|------------|------|--------|-------|
-| Recognize intent | Recognizer | `RegexIntentRecognizer::recognize(utterance)` | Returns `Intent` enum or error |
-| Handle intent | Handler | `IntentHandler::handle(intent, context)` → service call | Execute service, set state, or defer to Ruflo |
-| Call Ruflo agent | Runner | `RufloRunner::run(intent, opts)` (P2) | Subprocess with JSON request/response |
-| Build response | Response | `IntentResponse::new(text, entities, card)` | Conversational response + optional card data |
-| Run pipeline | Pipeline | `AssistPipeline::process(utterance)` | Full utterance → recognizer → handler → response |
-
-## Comparison to Home Assistant
-
-| Aspect | Home Assistant | homecore-assist |
-|--------|----------------|-----------------|
-| Intent framework | HA Assist pipeline (Python) | Rust async trait-based pipeline |
-| Recognizer type | Regex (classic) + ML sentence transformer (2024+) | Regex (P1); semantic embeddings (P2) |
-| Built-in intents | `HassTurnOn`, `HassTurnOff`, `HassLight*`, etc. | 5 core intents mirroring HA classic |
-| Custom intents | YAML + Python script integration | Trait + handler registration |
-| Agent orchestration | N/A (HA has no agent framework) | RufloRunner + subprocess bridge (P2) |
-| STT/TTS | Via `conversation` integration + webhooks | Separate; HOMECORE-ASSIST handles NLU only |
-| Slot extraction | regex groups + sentence-transformers | Regex groups (P1); ruvector embeddings (P2) |
-| Response format | Text + TTS synthesis | Structured `IntentResponse` with card data |
-
-## Performance
-
- **Intent recognition latency** — < 10 ms per utterance (regex compilation cached)
- **Handler execution** — < 20 ms per intent (service call latency dominates)
- **Ruflo agent subprocess** (P2) — ~500 ms per agent call (process spawn + IPC overhead)
- **Memory overhead per intent** — ~500 bytes (Intent struct + handler state)
- **Concurrent utterances** — 100+ per second on single machine (tokio task per utterance)
- **No per-crate benchmarks yet** — a follow-up issue tracks baseline measurements
-
-## Usage
-
-Regex intent recognition (P1):
-
-```rust
-use homecore_assist::{RegexIntentRecognizer, IntentName, IntentRecognizer};
-
-#[tokio::main]
-async fn main() {
-    let mut recognizer = RegexIntentRecognizer::new();
-    
-    // Register patterns
-    recognizer.register(IntentName::HassTurnOn, r"turn (?:on|up) (?:the )?(\w+)").unwrap();
-    
-    // Recognize utterance
-    let intent = recognizer.recognize("turn on the kitchen light").await.unwrap();
-    println!("Intent: {:?}", intent.intent_name);
-    println!("Entities: {:?}", intent.entities);
-}
-```
-
-Built-in handler (P1):
-
-```rust
-use homecore_assist::{HassTurnOn, IntentHandler, Intent, IntentResponse};
-use homecore::HomeCore;
-
-#[tokio::main]
-async fn main() {
-    let homecore = HomeCore::new();
-    let handler = HassTurnOn::new(homecore);
-    
-    let intent = Intent {
-        intent_name: IntentName::HassTurnOn,
-        entities: vec![("entity_id".to_string(), "light.kitchen".to_string())].into_iter().collect(),
-        slots: Default::default(),
-        ..Default::default()
-    };
-    
-    let response = handler.handle(&intent).await.unwrap();
-    println!("Response: {}", response.text.unwrap_or_default());
-}
-```
-
-Full pipeline (P1):
-
-```rust
-use homecore_assist::AssistPipeline;
-use homecore::HomeCore;
-
-#[tokio::main]
-async fn main() {
-    let homecore = HomeCore::new();
-    let pipeline = AssistPipeline::new(homecore);
-    
-    let response = pipeline.process("turn on the kitchen light").await.unwrap();
-    println!("Assistant: {}", response.text.unwrap_or_default());
-}
-```
-
-## Relation to other HOMECORE crates
-
-```
-homecore-assist (intent pipeline + Ruflo bridge)
-├─ homecore (state machine; handlers call services)
-├─ homecore-api (exposes intent endpoints via REST/WS, P2)
-├─ homecore-automation (complex intents can trigger automations)
-├─ homecore-server (registers AssistPipeline at startup)
-└─ ruflo (Ruflo agent subprocess for multi-step workflows, P2)
-```
-
-## References
-
- [ADR-133: HOMECORE Assist — Voice/Intent + Ruflo Bridge](../../docs/adr/ADR-133-homecore-assist-ruflo.md)
- [ADR-126: HOMECORE Home Assistant Port (master)](../../docs/adr/ADR-126-homecore-home-assistant-port.md)
- [Home Assistant Assist Integration](https://www.home-assistant.io/blog/2024/03/04/introducing-home-assistants-local-voice-control/)
- [Ruflo Documentation](https://github.com/ruvnet/claude-flow)
- [README — wifi-densepose](../../../README.md)
--- a/v2/crates/homecore-automation/README.md
+++ b/v2/crates/homecore-automation/README.md
@ -1,168 +0,0 @@
-# homecore-automation
-
-YAML-based automation engine for HOMECORE with trigger evaluation, conditions, and MiniJinja template support.
-
-[![Crates.io](https://img.shields.io/crates/v/homecore-automation.svg)](https://crates.io/crates/homecore-automation)
-![License](https://img.shields.io/badge/license-MIT-blue.svg)
-![MSRV: 1.89+](https://img.shields.io/badge/MSRV-1.89%2B-purple.svg)
-[![Tests](https://img.shields.io/badge/tests-34%20passing-brightgreen.svg)](https://github.com/ruvnet/RuView)
-[![ADR-129](https://img.shields.io/badge/ADR-129-orange.svg)](../../docs/adr/ADR-129-homecore-automation-trigger-condition-action.md)
-
-Home Assistant-compatible automation engine for HOMECORE, parsing YAML trigger→condition→action rules and executing them against the HOMECORE event bus.
-
-## What this crate does
-
-`homecore-automation` provides the runtime for HOMECORE automations — YAML files that define "if X happens and Y is true, do Z". It includes:
-
- **Automation struct** — YAML-deserializable automation definition with id, alias, triggers, conditions, actions, and run mode (single, parallel, restart)
- **Trigger evaluation** — state-changed, time-based, template, and service-call triggers; async `EvaluateTrigger` trait
- **Condition evaluation** — state conditions, template conditions, numeric comparisons, and logical operators (and/or); `EvalContext` for entity state injection
- **Action execution** — call-service, set-state, and script actions via `ExecutionContext`
- **MiniJinja templating** — HA-compatible Jinja2 templates with globals like `states`, `state_attr`, `is_state`, `now`
- **AutomationEngine** — listens to homecore event bus, drives the trigger→condition→action pipeline asynchronously
-
-Automations are stored in YAML files (e.g., `automations.yaml`) and loaded at startup. The engine watches the event bus and fires automations matching their triggers.
-
-## Features
-
- **YAML automation syntax** — familiar HA format: triggers, conditions, actions, mode
- **State-changed triggers** — fires when `entity.light.kitchen` changes to `on`
- **Time-based triggers** — `at: "15:30:00"` or `minutes: 5` (cron-like)
- **Template triggers** — `value_template: "{{ states('light.kitchen') == 'on' }}"`
- **Service-call triggers** — `service: light.turn_on` for chaining automations
- **Condition evaluation** — `condition: state` with entity_id + state matching
- **Template conditions** — `condition: template` with Jinja2 expressions
- **Numeric comparisons** — `condition: numeric_state` with `above`, `below`, `between`
- **Logical operators** — `condition: and` / `condition: or` for complex rules
- **Service call actions** — `action: service` with `service: light.turn_on` + data
- **State setting actions** — `action: set_state` to directly update entity state
- **MiniJinja templating** — `{{ now() }}`, `{{ states('sensor.temp') }}`, `{{ is_state('light.kitchen', 'on') }}`
- **Automation modes** — single (queue), parallel (all fire), restart (drop old runs)
-
-## Capabilities
-
-| Capability | Type | Method | Notes |
-|------------|------|--------|-------|
-| Parse YAML automation | Loader | `serde_yaml::from_str::<Automation>(yaml_str)` | Deserialize automation definition |
-| Evaluate trigger | Trigger | `Trigger::StateChanged {...}.evaluate(context)` | Check if trigger condition met |
-| Evaluate condition | Condition | `Condition::State {...}.evaluate(context)` | Check if condition passes |
-| Execute action | Action | `Action::Service {...}.execute(context)` | Call service or set state |
-| Render template | Template | `TemplateEnvironment::render(expr, context)` | Jinja2 with HA globals |
-| Run automation | Engine | `AutomationEngine::run_automation(automation, context)` | Execute full trigger→condition→action pipeline |
-| Subscribe to events | Engine | `AutomationEngine::listen(homecore.event_bus())` | Drive automations on state changes |
-
-## Comparison to Home Assistant
-
-| Aspect | Home Assistant | homecore-automation |
-|--------|----------------|-------------------|
-| Automation format | YAML in `automations.yaml` | Identical YAML format |
-| Parser | Python YAML + voluptuous | serde_yaml + serde validation |
-| Trigger types | state_changed, time, template, service, mqtt, ... | state_changed, time, template, service (core 4) |
-| Condition types | state, numeric_state, template, and/or, ... | Identical (core types) |
-| Action types | call_service, set_state, script, wait_template, ... | call_service, set_state (core 2) |
-| Template engine | Python Jinja2 | MiniJinja (pure Rust, HA-compatible) |
-| Globals | states, state_attr, is_state, now, ... | Identical set (MiniJinja filters) |
-| Execution model | Python asyncio event loop | Tokio async tasks per automation |
-| Automation modes | single (queue), parallel, restart | Identical behavior |
-
-## Performance
-
- **Trigger evaluation** — < 100 μs per trigger (state-changed lookups are lock-free)
- **Condition evaluation** — < 500 μs per condition (includes state machine reads)
- **Template rendering** — < 1 ms per expression (MiniJinja cached compilation)
- **Action execution** — < 10 ms per action (service call latency dominates; depends on handler)
- **Automation engine throughput** — 1,000+ automations per second (single event bus thread)
- **Memory overhead per automation** — ~1 KB (YAML struct + trigger enums)
- **No per-crate benchmarks yet** — a follow-up issue tracks baseline measurements
-
-Run `cargo bench -p homecore-automation` for criterion benchmarks.
-
-## Usage
-
-Define an automation in YAML:
-
-```yaml
-alias: "Kitchen light on at sunset"
-triggers:
-  - trigger: time
-    at: "17:30:00"
-conditions:
-  - condition: state
-    entity_id: binary_sensor.is_dark
-    state: "on"
-actions:
-  - action: service
-    service: light.turn_on
-    target:
-      entity_id: light.kitchen
-    data:
-      brightness: 200
-mode: single
-```
-
-Load and run it (Rust):
-
-```rust
-use homecore_automation::{Automation, AutomationEngine};
-use homecore::HomeCore;
-
-#[tokio::main]
-async fn main() {
-    let homecore = HomeCore::new();
-    let yaml = std::fs::read_to_string("automations.yaml").expect("read automation");
-    let automation: Automation = serde_yaml::from_str(&yaml).expect("parse automation");
-
-    let engine = AutomationEngine::new(homecore.clone());
-    engine.listen(homecore.event_bus()).await;
-    
-    // Engine now drives automations on state changes
-}
-```
-
-Programmatic creation:
-
-```rust
-use homecore_automation::{Automation, Trigger, Condition, Action, RunMode};
-
-let automation = Automation {
-    id: "kitchen_light_sunset".to_string(),
-    alias: Some("Kitchen light on at sunset".to_string()),
-    triggers: vec![
-        Trigger::StateChanged {
-            entity_id: "binary_sensor.is_dark".to_string(),
-            to: Some("on".to_string()),
-            ..Default::default()
-        },
-    ],
-    conditions: vec![],
-    actions: vec![
-        Action::Service {
-            service: "light.turn_on".to_string(),
-            data: serde_json::json!({"entity_id": "light.kitchen", "brightness": 200}),
-        },
-    ],
-    mode: RunMode::Single,
-    ..Default::default()
-};
-
-println!("Automation: {}", automation.alias.unwrap_or_default());
-```
-
-## Relation to other HOMECORE crates
-
-```
-homecore-automation (automation engine)
-├─ homecore (state machine + event bus; automations subscribe to state changes)
-├─ homecore-api (exposes automation metadata via REST, P2)
-├─ homecore-assist (intents can trigger automations via service calls, P2)
-├─ homecore-server (loads automations.yaml at startup)
-└─ minijinja (template rendering)
-```
-
-## References
-
- [ADR-129: HOMECORE Automation Engine](../../docs/adr/ADR-129-homecore-automation-trigger-condition-action.md)
- [ADR-126: HOMECORE Home Assistant Port (master)](../../docs/adr/ADR-126-homecore-home-assistant-port.md)
- [Home Assistant Automation Integration](https://www.home-assistant.io/docs/automation/)
- [MiniJinja Documentation](https://docs.rs/minijinja/latest/minijinja/)
- [README — wifi-densepose](../../../README.md)
--- a/v2/crates/homecore-hap/README.md
+++ b/v2/crates/homecore-hap/README.md
@ -1,121 +0,0 @@
-# homecore-hap
-
-Apple Home HomeKit Accessory Protocol bridge for HOMECORE with HAP-1.1 trait surface and mDNS advertisement (P2).
-
-[![Crates.io](https://img.shields.io/crates/v/homecore-hap.svg)](https://crates.io/crates/homecore-hap)
-![License](https://img.shields.io/badge/license-MIT-blue.svg)
-![MSRV: 1.89+](https://img.shields.io/badge/MSRV-1.89%2B-purple.svg)
-[![Tests](https://img.shields.io/badge/tests-17%20passing-brightgreen.svg)](https://github.com/ruvnet/RuView)
-[![ADR-125](https://img.shields.io/badge/ADR-125-orange.svg)](../../docs/adr/ADR-125-homecore-apple-home-homekit-bridge.md)
-
-**P1 scaffold**: trait surface for HAP accessories + characteristics, entity→HAP mapping rules, and bridge ownership. The actual HAP-1.1 TLS server and real mDNS integration are gated behind `--features hap-server` (P2).
-
-## What this crate does
-
-`homecore-hap` bridges HOMECORE entity state to Apple HomeKit Accessory Protocol (HAP-1.1), allowing HomeKit-native apps (Home, Control Center, Siri) to control HOMECORE devices. It provides:
-
- **HapAccessoryType enum** — 11 accessory types matching HA's HomeKit integration (`Light`, `Switch`, `Thermostat`, `Lock`, `Door`, etc.)
- **HapCharacteristic enum** — HAP characteristic types (`On`, `Brightness`, `Temperature`, `TargetLockState`, etc.)
- **EntityToAccessoryMapper** — bidirectional rules for mapping HOMECORE entities to HAP accessories (e.g., `light.kitchen` → `Light` accessory + `On` + `Brightness` characteristics)
- **HapBridge** — owns and exposes a collection of mapped accessories over HAP
- **MdnsAdvertiser trait** — abstraction over mDNS advertisement; P1 ships `NullAdvertiser` (no-op), P2 adds real mDNS via `mdns-sd`
- **RuViewToHapMapper** — bridges RuView sensing data (temperature, humidity, occupancy) to HAP characteristics
-
-The bridge itself is a HAP Accessory Bridge (HAP-1.1 spec §8.3), advertising a single service with characteristic slots for each exposed accessory.
-
-## Features
-
- **11 accessory types** — Light, Switch, Thermostat, Door, Lock, Window, Blind, Outlet, Fan, Sensor, SecuritySystem
- **Bi-directional mapping** — HOMECORE entity state ↔ HAP characteristic values with type-safe enums
- **HAP-1.1 spec compliance** — characteristic types and permissions match HomeKit's published spec
- **Trait-based advertisement** — `MdnsAdvertiser` abstraction; swappable implementations (null, real mDNS, etc.)
- **RuView integration** — maps WiFi sensing data (occupancy, temperature, vital signs) to HomeKit sensor accessories
- **No TLS server in P1** — bridge compiles and tests pass with `--no-default-features`; real server lands in P2 with `--features hap-server`
- **Home.app compatible** — exposed accessories appear in Home app on any HomeKit hub (Apple TV, HomePod, HomePod mini)
-
-## Capabilities
-
-| Capability | Type | Method | Notes |
-|------------|------|--------|-------|
-| Define accessory type | Trait | `HapAccessoryType::Light` etc. (11 variants) | Enum; no instantiation yet (P1) |
-| Define characteristic | Trait | `HapCharacteristic::On`, `Brightness`, etc. | Enum; values encoded as HAP TLV |
-| Map entity to accessory | Mapping | `EntityToAccessoryMapper::map_light()` | Takes `EntityId` + `State`; returns `HapAccessory` |
-| Expose accessory | Bridge | `HapBridge::expose(accessory)` | Adds to the bridge's characteristic list |
-| Advertise bridge | mDNS | `NullAdvertiser::advertise()` (P1) | No-op stub; real mDNS in P2 |
-| Advertise bridge (P2) | mDNS | `mdns_sd::ServiceInstanceBuilder` | Real mDNS via `--features hap-server` |
-| Bridge state query | Bridge | `HapBridge::list_accessories()` | Returns exposed accessories + their characteristics |
-| Characteristic write | Characteristic | HAP `WriteRequest` TLV (P2) | Home.app button press → service call |
-| Characteristic read | Characteristic | HAP `ReadResponse` TLV (P2) | Home.app query → current entity state |
-
-## Comparison to Home Assistant
-
-| Aspect | Home Assistant | homecore-hap |
-|--------|----------------|--------------|
-| Framework | HA's `hap-python` (pure Python) | Rust 1.89+ with HAP trait abstraction |
-| Server type | Python asyncio HAP-1.1 server | TLS server trait (P2); stub in P1 |
-| Accessory types | 30+ (Light, Switch, Thermostat, etc.) | 11 (Light, Switch, Thermostat, Door, Lock, Window, Blind, Outlet, Fan, Sensor, SecuritySystem) |
-| mDNS | mdns-py broadcast via asyncio | Abstraction + real mDNS (P2) or no-op stub (P1) |
-| Entity filtering | YAML `include_domains` + `exclude_entities` | Mapper rules (planned P2) |
-| HomeKit hub requirement | Yes (for remote access) | Yes (same as HomeKit) |
-| Pairing code generation | Automatic (HA web UI) | Manual setup code (P2) |
-| Characteristic persistence | HomeKit cloud only | Paired with homecore state machine |
-
-## Performance
-
- **Entity→HAP mapping** — < 100 μs per entity (enum lookups + type conversions)
- **HAP write latency** — ~10 ms (TLS decrypt + characteristic parse + entity state set); bounded by homecore state machine lock contention
- **mDNS advertisement** (P2) — ~50 ms multicast broadcast; periodic rediscovery on network change
- **Memory overhead per accessory** — ~500 bytes (enum + characteristic slots + metadata)
- **No per-crate benchmarks yet** — a follow-up issue tracks baseline measurements
-
-## Usage
-
-Mapping an entity (P1):
-
-```rust
-use homecore_hap::{EntityToAccessoryMapper, HapBridge, HapAccessoryType};
-use homecore::{EntityId, State};
-use std::collections::HashMap;
-
-#[tokio::main]
-async fn main() {
-    let light_id = EntityId::parse("light.kitchen").unwrap();
-    let state = State::new("on", HashMap::new());
-
-    // Map the entity to a HAP Light accessory
-    let mut mapper = EntityToAccessoryMapper::new();
-    if let Ok(accessory) = mapper.map_light(&light_id, &state) {
-        println!("Mapped to HAP: {:?}", accessory.accessory_type);
-
-        // Expose it via the bridge
-        let mut bridge = HapBridge::new();
-        bridge.expose(accessory);
-        println!("Exposed {} accessories", bridge.list_accessories().len());
-    }
-}
-```
-
-Real HAP server (P2, via `--features hap-server`):
-
-```bash
-cargo build -p homecore-hap --features hap-server
-# The server will advertise over mDNS and accept HomeKit pairing requests
-```
-
-## Relation to other HOMECORE crates
-
-```
-homecore-hap (HomeKit bridge)
-├─ homecore (state machine; bridge reads entity states)
-├─ homecore-api (exposes HAP state via REST /api for remote debugging)
-├─ homecore-server (starts the bridge on homecore init)
-└─ homecore-automation (can trigger state changes via service calls)
-```
-
-## References
-
- [ADR-125: HOMECORE Apple Home / HomeKit Bridge](../../docs/adr/ADR-125-homecore-apple-home-homekit-bridge.md)
- [ADR-126: HOMECORE Home Assistant Port (master)](../../docs/adr/ADR-126-homecore-home-assistant-port.md)
- [HomeKit Accessory Protocol Specification (HAP-1.1)](https://developer.apple.com/homekit/)
- [user-guide-apple-homepod.md](../../docs/user-guide-apple-homepod.md)
- [README — wifi-densepose](../../../README.md)
--- a/v2/crates/homecore-migrate/README.md
+++ b/v2/crates/homecore-migrate/README.md
@ -1,143 +0,0 @@
-# homecore-migrate
-
-Migration tooling for importing Home Assistant configuration, entities, and secrets into HOMECORE.
-
-[![Crates.io](https://img.shields.io/crates/v/homecore-migrate.svg)](https://crates.io/crates/homecore-migrate)
-![License](https://img.shields.io/badge/license-MIT-blue.svg)
-![MSRV: 1.89+](https://img.shields.io/badge/MSRV-1.89%2B-purple.svg)
-[![Tests](https://img.shields.io/badge/tests-19%20passing-brightgreen.svg)](https://github.com/ruvnet/RuView)
-[![ADR-134](https://img.shields.io/badge/ADR-134-orange.svg)](../../docs/adr/ADR-134-homecore-migration-from-python-ha.md)
-
-Parse and inspect Home Assistant's `.storage/` directory, entity registry, device registry, secrets, and automations. Convert existing HA configurations for import into HOMECORE (full conversion in P2).
-
-## What this crate does
-
-`homecore-migrate` reads Home Assistant's filesystem state and provides tooling to analyze and migrate it to HOMECORE. It includes:
-
- **HaStorageDir** — reads HA's `.homeassistant/.storage/` directory and parses versioned JSON envelopes
- **Entity registry parser** — converts `core.entity_registry` JSON to HOMECORE `EntityEntry` types
- **Device registry parser** — reads `core.device_registry` (P1 diagnostic only; full conversion in P2)
- **Config entries parser** — reads `core.config_entries` to list active integrations
- **Secrets parser** — reads `secrets.yaml` as `HashMap<String, String>` for reference resolution (P2)
- **Automations parser** — reads `automations.yaml` and counts/lists automations (full conversion in P2)
- **CLI binary** — `homecore-migrate inspect` to preview what will be migrated
-
-The tool enforces version schema compatibility: unknown HA schema versions are rejected (hard error per ADR-134 §6 Q5) rather than silently corrupting data.
-
-## Features
-
- **Entity registry import** — `core.entity_registry` → HOMECORE entity definitions (ready for import)
- **Device registry inspection** — read HA device metadata; full conversion deferred to P2
- **Config entries analysis** — list active integrations by domain (enables gap analysis)
- **Secrets extraction** — read `secrets.yaml` references for annotation (resolution in P2)
- **Automations counting** — list automation IDs and aliases without conversion (conversion in P2)
- **Schema version validation** — explicit rejection of unknown HA versions (no silent corruption)
- **Structured error reporting** — `MigrateError` enum with context (file path, line number)
- **CLI subcommands** — `inspect` to preview, `import-entities` to load (P2), `export-for-sidecar` (P2)
-
-## Capabilities
-
-| Capability | Type | Method | Notes |
-|------------|------|--------|-------|
-| Read storage envelope | Parser | `storage::read_envelope(path)` | Deserialize `.storage/*.json` |
-| Parse entity registry | Parser | `entity_registry::load(storage_dir)` | → `Vec<homecore::EntityEntry>` |
-| Inspect device registry | Parser | `device_registry::load(storage_dir)` | → `Vec<DeviceImport>` (P1 diagnostic) |
-| List config entries | Parser | `config_entries::load(storage_dir)` | → domain counts + names |
-| Load secrets | Parser | `secrets::load_secrets(path)` | → `HashMap<String, String>` |
-| Count automations | Parser | `automations::load(path)` | → count + ID list |
-| Validate schema version | Validator | `storage_format::validate_version(major, minor)` | Hard error if unknown |
-| Convert to HOMECORE | Converter | `entity_registry::to_homecore_entries()` (P2) | → `homecore::EntityRegistry` |
-| Export side-by-side DB | Exporter | `recorder::export_states()` (P2, `--features recorder`) | → `.homecore/home.db` |
-
-## Comparison to Home Assistant
-
-| Aspect | Home Assistant | homecore-migrate |
-|--------|----------------|-----------------|
-| State source | Python `.homeassistant/` directory | Same HA filesystem format |
-| Entity registry format | JSON envelope in `.storage/core.entity_registry` | Identical format, schema v13 |
-| Schema versioning | `version` + optional `minor_version` | Explicit version struct validation |
-| Secrets resolution | `!secret` YAML references via loader | Planned P2 (reads `secrets.yaml`) |
-| Automation conversion | Python → HA YAML (internal) | P2: convert to `homecore-automation` format |
-| Device registry import | Python device types | P1 diagnostic; full conversion P2 |
-| Side-by-side runtime | N/A (HA doesn't side-by-side migrate) | P2 feature: run old + new in parallel |
-| CLI tooling | HA doesn't export | `homecore-migrate` binary with subcommands |
-
-## Performance
-
- **Storage envelope parse** — < 5 ms per file (serde_json)
- **Entity registry load** — < 50 ms for 1,000 entities
- **Storage directory scan** — < 100 ms for full `.storage/` directory
- **Secrets file parse** — < 10 ms (YAML)
- **No per-crate benchmarks yet** — a follow-up issue tracks baseline measurements
-
-## Usage
-
-CLI inspection (P1):
-
-```bash
-# Inspect what will be migrated from an existing HA installation
-homecore-migrate inspect ~/.homeassistant
-
-# Output:
-# Entity Registry: 47 entities
-#   light: 12
-#   sensor: 20
-#   binary_sensor: 10
-#   switch: 5
-# Device Registry: 8 devices
-# Config Entries: 6 integrations (mqtt, rest, zeroconf, ...)
-# Secrets: 3 defined (redacted)
-# Automations: 5 automations (redacted)
-```
-
-Programmatic entity import (P1):
-
-```rust
-use homecore_migrate::entity_registry;
-use homecore::HomeCore;
-
-#[tokio::main]
-async fn main() {
-    let storage_dir = std::path::Path::new("/home/user/.homeassistant/.storage");
-    
-    // Load HA entities
-    let entries = entity_registry::load(storage_dir)
-        .expect("load entity registry");
-    println!("Loaded {} entities", entries.len());
-    
-    // Import into HOMECORE (P2 when EntityRegistry::import() lands)
-    let homecore = HomeCore::new();
-    for entry in entries {
-        println!("Entity: {} ({})", entry.entity_id, entry.name);
-    }
-}
-```
-
-Full migration (P2 onwards, via `--features recorder`):
-
-```bash
-# Side-by-side: old HA continues running while HOMECORE reads the DB
-homecore-migrate export-for-sidecar \
-  --ha-dir ~/.homeassistant \
-  --homecore-db ~/.homecore/home.db \
-  --keep-automations true  # Don't stop HA automations during test period
-```
-
-## Relation to other HOMECORE crates
-
-```
-homecore-migrate (import from HA)
-├─ homecore (EntityEntry → EntityRegistry; config entry imports)
-├─ homecore-automation (automations.yaml → automation rules, P2)
-├─ homecore-recorder (side-by-side state export, P2, `--features recorder`)
-├─ homecore-plugins (config_entries → plugin manifests, P2)
-└─ homecore-server (can auto-import at startup with --import-ha flag, P2)
-```
-
-## References
-
- [ADR-134: HOMECORE Migration from Python Home Assistant](../../docs/adr/ADR-134-homecore-migration-from-python-ha.md)
- [ADR-126: HOMECORE Home Assistant Port (master)](../../docs/adr/ADR-126-homecore-home-assistant-port.md)
- [Home Assistant .storage/ format](https://developers.home-assistant.io/docs/storage/)
- [homecore-migrate CLI source](src/main.rs)
- [README — wifi-densepose](../../../README.md)
--- a/v2/crates/homecore-plugins/README.md
+++ b/v2/crates/homecore-plugins/README.md
@ -1,144 +0,0 @@
-# homecore-plugins
-
-WASM integration plugin runtime for HOMECORE with native Rust runtime (P1) and Wasmtime JIT sandbox support (P2).
-
-[![Crates.io](https://img.shields.io/crates/v/homecore-plugins.svg)](https://crates.io/crates/homecore-plugins)
-![License](https://img.shields.io/badge/license-MIT-blue.svg)
-![MSRV: 1.89+](https://img.shields.io/badge/MSRV-1.89%2B-purple.svg)
-[![Tests](https://img.shields.io/badge/tests-10%20passing-brightgreen.svg)](https://github.com/ruvnet/RuView)
-[![ADR-128](https://img.shields.io/badge/ADR-128-orange.svg)](../../docs/adr/ADR-128-homecore-integration-plugin-system.md)
-
-**P1 scaffold**: manifest parsing, plugin traits, and in-memory native Rust plugin registry. Wasmtime sandbox (P2) and hot-reload (P3) are deferred.
-
-## What this crate does
-
-`homecore-plugins` provides a trait-based plugin system that can host both native Rust plugins (in-process) and WASM plugins (Wasmtime sandbox, P2). It defines:
-
- **PluginManifest** — JSON schema for plugin metadata (superset of Home Assistant's `manifest.json`), validated at load time
- **HomeCorePlugin trait** — async lifecycle hooks (`setup`, `teardown`, state changed handlers)
- **PluginRuntime trait** — abstraction over execution environments (native vs WASM)
- **InProcessRuntime** — built-in runtime for first-party Rust plugins (P1)
- **PluginRegistry** — manages loading, unloading, and querying plugins
- **Host ABI (stubs)** — C-compatible function signatures for WASM ↔ homecore calls (wiring in P2)
-
-The system is designed to be feature-gated: compile with `--features wasmtime` to unlock JIT sandbox support for untrusted third-party plugins.
-
-## Features
-
- **Native Rust plugins** — first-party integrations compiled into the binary, zero sandbox overhead (P1)
- **WASM plugin framework** — trait-based abstraction ready for Wasmtime JIT (P2) or wasm3 interpreter (P3)
- **PluginManifest validation** — required fields enforced at load time; superset of HA manifest fields
- **Async plugin lifecycle** — `setup()` and `teardown()` for resource management
- **State change subscriptions** — plugins can subscribe to entity state changes with handler callbac
- **Config entry lifecycle** — plugin receives config when registered; P3 adds hot-reload
- **Feature-gated runtimes** — Wasmtime (30 MB, P2) and wasm3 (50 kB, P3) are optional dependencies
- **Manifest inheritance from Home Assistant** — `codeowners`, `requirements`, `documentation`, `issue_tracker`, IoT classification
-
-## Capabilities
-
-| Capability | Type | Method | Notes |
-|------------|------|--------|-------|
-| Load native plugin | Runtime | `InProcessRuntime::load(manifest, handler)` | Sync; handler is a Rust type implementing `HomeCorePlugin` |
-| Load WASM plugin | Runtime | `WasmtimeRuntime::load(wasm_bytes, manifest)` (P2) | Async; JIT compiles via Cranelift; requires `--features wasmtime` |
-| List loaded plugins | Registry | `PluginRegistry::list()` | Returns `Vec<(PluginId, PluginManifest)>` |
-| Query plugin config | Registry | `PluginRegistry::get_config(plugin_id)` | Returns `Arc<ConfigEntryJson>` |
-| Call plugin handler | Host ABI | `hc_state_changed(event)` (P2) | WASM plugin receives state change events via exported function |
-| Unload plugin | Registry | `PluginRegistry::unload(plugin_id)` | Calls `teardown()`, frees memory (P3 = hot-reload) |
-
-## Comparison to Home Assistant
-
-| Aspect | Home Assistant | homecore-plugins |
-|--------|----------------|------------------|
-| Plugin language | Python (`.py` integrations) | Rust (P1) + WASM (P2+) |
-| Sandbox | None (all Python in same process) | None (P1); Wasmtime sandbox (P2) |
-| Plugin discovery | `homeassistant/components/` directory | `PluginManifest` JSON + registry |
-| Config lifecycle | YAML + dynamic reload | Config entry + manifest (hot-reload P3) |
-| Host ABI | CPython C API | C types + Wasmtime exported functions (P2) |
-| Manifest format | Home Assistant's `manifest.json` subset | Superset with `ioc_class`, `cog_publisher` |
-| Feature gating | Integration-specific | Feature flags: `wasmtime`, `wasm3` |
-
-## Performance
-
- **Native plugin overhead** — same as regular Rust function calls; no sandbox cost
- **WASM plugin sandbox** — Wasmtime JIT ~5 ms per call (after warmup); memory overhead ~10 MB per instance
- **Manifest parsing** — < 1 ms (serde_json)
- **Registry operations** — O(1) plugin lookup (DashMap); O(n) for `list()`
- **No per-crate benchmarks yet** — a follow-up issue tracks baseline measurements
-
-## Usage
-
-Native plugin (P1):
-
-```rust
-use homecore_plugins::{HomeCorePlugin, PluginManifest, InProcessRuntime};
-use async_trait::async_trait;
-
-struct MyPlugin;
-
-#[async_trait]
-impl HomeCorePlugin for MyPlugin {
-    async fn setup(&mut self) -> Result<(), homecore_plugins::PluginError> {
-        println!("Plugin setup");
-        Ok(())
-    }
-
-    async fn teardown(&mut self) -> Result<(), homecore_plugins::PluginError> {
-        println!("Plugin teardown");
-        Ok(())
-    }
-
-    async fn on_state_changed(&mut self, _event: &homecore_plugins::StateChangedEventJson) -> Result<(), homecore_plugins::PluginError> {
-        Ok(())
-    }
-}
-
-#[tokio::main]
-async fn main() {
-    let manifest = PluginManifest {
-        domain: "my_plugin".to_string(),
-        name: "My Plugin".to_string(),
-        ..Default::default()
-    };
-
-    let mut runtime = InProcessRuntime::new();
-    let plugin_id = runtime.load(manifest.clone(), MyPlugin).await.expect("load plugin");
-    println!("Loaded plugin: {:?}", plugin_id);
-    runtime.unload(&plugin_id).await.ok();
-}
-```
-
-WASM plugin (P2 example):
-
-```bash
-# Build a WASM plugin (requires --features wasmtime)
-cargo build -p homecore-plugin-example --target wasm32-unknown-unknown --release
-
-# The WasmtimeRuntime will be available at P2:
-# let mut runtime = WasmtimeRuntime::new();
-# let plugin_id = runtime.load(wasm_bytes, manifest).await?;
-```
-
-## Relation to other HOMECORE crates
-
-```
-homecore-plugins (plugin registry + runtime abstraction)
-├─ homecore (state machine; plugins receive state changes)
-├─ homecore-plugin-example (reference WASM plugin)
-├─ homecore-server (loads plugins at startup)
-└─ homecore-automation (can invoke handlers via service calls)
-```
-
-## Security Notes
-
-**P1 (this release)**: No sandbox. Native Rust plugins have full process access.
-
-**P2 (planned)**: Wasmtime JIT sandbox is opt-in via `--features wasmtime`. WASM plugins run in isolated memory with explicit host ABI calls to access homecore state. The host ABI is frozen before P2 begins (ADR-128 §8 risk mitigation).
-
-**P4+**: Ed25519 signature verification and permission enforcement for third-party Cog registry distribution.
-
-## References
-
- [ADR-128: HOMECORE Integration Plugin System](../../docs/adr/ADR-128-homecore-integration-plugin-system.md)
- [homecore-plugin-example: reference WASM plugin](../homecore-plugin-example)
- [Host ABI spec](src/host_abi.rs)
- [README — wifi-densepose](../../../README.md)
--- a/v2/crates/homecore-recorder/README.md
+++ b/v2/crates/homecore-recorder/README.md
@ -1,147 +0,0 @@
-# homecore-recorder
-
-SQLite state-history recorder for HOMECORE with Home Assistant-compatible schema and optional ruvector semantic search (P2).
-
-[![Crates.io](https://img.shields.io/crates/v/homecore-recorder.svg)](https://crates.io/crates/homecore-recorder)
-![License](https://img.shields.io/badge/license-MIT-blue.svg)
-![MSRV: 1.89+](https://img.shields.io/badge/MSRV-1.89%2B-purple.svg)
-[![Tests](https://img.shields.io/badge/tests-14%20passing-brightgreen.svg)](https://github.com/ruvnet/RuView)
-[![ADR-132](https://img.shields.io/badge/ADR-132-orange.svg)](../../docs/adr/ADR-132-homecore-recorder-history-semantic-search.md)
-
-**P1 release**: SQLite database with Home Assistant-compatible schema for persistent state history. **P2 (feature-gated)**: ruvector HNSW semantic index for natural-language queries ("show me all kitchen devices that were warm at 3 PM").
-
-## What this crate does
-
-`homecore-recorder` persists HOMECORE state changes to SQLite and optionally indexes them for semantic search. It provides:
-
- **Listener pattern** — subscribes to homecore event bus and captures all `StateChanged` events
- **SQLite schema** — mirrors HA's `recorder` database schema (v48) for 1:1 compatibility
- **Dual-write architecture** — writes state snapshots to `states` table and attributes to `state_attributes` table (same as HA)
- **Deduplication** — avoids recording redundant state writes when state hasn't actually changed
- **SemanticIndex trait** — abstraction for plugging in ruvector embeddings (P2)
- **NullSemanticIndex** — no-op implementation used when `ruvector` feature is off
-
-Data persists in `.homecore/home.db` (by default; configurable). Queries work via standard SQLx, so any tool that reads SQLite can access the history.
-
-## Features
-
- **Home Assistant schema compatibility** — migrate from HA's `recorder.db` without schema changes
- **Event recording** — all state changes captured with `last_changed` timestamp and old/new state
- **Attribute persistence** — JSON attributes for entities stored in separate table (HA pattern)
- **Automatic deduplication** — skip writes when state hasn't changed (detect via hash)
- **Recorder runs table** — track purge cycles and migration events (HA `recorder_runs` equivalent)
- **Semantic search** (P2, `--features ruvector`) — embed state attributes + query by meaning
- **HNSW index** (P2) — k-NN search for "all warm rooms" via ruvector
- **No data export overhead** — SQLite is queryable directly; no proprietary format
-
-## Capabilities
-
-| Capability | Type | Method | Notes |
-|------------|------|--------|-------|
-| Record state change | Listener | `RecorderListener::on_state_changed(event)` | Fires on homecore event bus; writes to SQLite |
-| Query state history | SQL | `SELECT * FROM states WHERE entity_id = ? ORDER BY last_changed DESC` | Standard SQLite; can be queried from anywhere |
-| Purge old states | Maintenance | `Recorder::purge(older_than)` | Deletes states older than specified timestamp |
-| Deduplicate write | Dedup | `DedupEngine::should_record(old_state, new_state)` | Skip if state hash unchanged |
-| Create semantic index | Index | `SemanticIndex::index_state(entity_id, state)` (P2, opt-in) | Hash-based embeddings; real embeddings in P3 |
-| Search by meaning | Search | `SemanticIndex::search(query, k)` (P2, opt-in) | "warm rooms" → k-NN search in ruvector HNSW |
-
-## Comparison to Home Assistant
-
-| Aspect | Home Assistant | homecore-recorder |
-|--------|----------------|-------------------|
-| Database | SQLite (Python sqlite3) | SQLite (Rust sqlx) |
-| Schema | `recorder/` (schema v48) | Identical HA schema v48 |
-| State table | `states` + `state_attributes` | Same dual-table layout |
-| Persistence location | `.homeassistant/home-assistant_v2.db` | `.homecore/home.db` |
-| Deduplication | Python stateful listener | DedupEngine + hash comparison |
-| Purge policy | YAML `auto_purge_* + retention` | Configurable via `Recorder::purge()` |
-| Semantic search | None (HA has YAML history stats only) | ruvector HNSW k-NN (P2, opt-in) |
-| Schema compatibility | N/A | Bidirectional; can read HA's home.db directly |
-
-## Performance
-
- **State write latency** — p50 < 2 ms (SQLite WAL append); p99 < 15 ms (disk fsync)
- **Query latency** — < 1 ms for indexed entity_id lookups; < 50 ms for range scans (full table)
- **Semantic search** (P2) — < 10 ms for k-NN on 1 million state records (ruvector HNSW)
- **Memory overhead** — ~10 MB per million recorded states (SQLite index overhead)
- **Disk space** — ~2-4 KB per state record (entity_id + attributes + timestamps)
- **No per-crate benchmarks yet** — a follow-up issue tracks baseline measurements
-
-Run `cargo bench -p homecore-recorder --features ruvector` for criterion benchmarks.
-
-## Usage
-
-Recording state changes (P1):
-
-```rust
-use homecore_recorder::{Recorder, RecorderListener};
-use homecore::HomeCore;
-
-#[tokio::main]
-async fn main() {
-    let homecore = HomeCore::new();
-    
-    // Create the recorder (writes to .homecore/home.db)
-    let recorder = Recorder::new(".homecore/home.db").await.expect("init recorder");
-
-    // Create and spawn a listener
-    let listener = RecorderListener::new(recorder.clone());
-    let mut rx = homecore.event_bus().subscribe_system();
-    
-    tokio::spawn(async move {
-        while let Ok(event) = rx.recv().await {
-            if let Err(e) = listener.on_state_changed(&event).await {
-                eprintln!("Recorder error: {}", e);
-            }
-        }
-    });
-
-    // State changes now persist to SQLite
-}
-```
-
-Querying history directly (standard SQLite):
-
-```sql
-- All light.kitchen state changes in the last hour
-SELECT state, attributes, last_changed 
-FROM states 
-WHERE entity_id = 'light.kitchen' 
-  AND last_changed > datetime('now', '-1 hour')
-ORDER BY last_changed DESC;
-
-- Average brightness by hour
-SELECT 
-  strftime('%Y-%m-%d %H:00:00', last_changed) AS hour,
-  JSON_EXTRACT(attributes, '$.brightness') AS brightness
-FROM states 
-WHERE entity_id = 'light.kitchen'
-GROUP BY hour;
-```
-
-Semantic search (P2, with `--features ruvector`):
-
-```rust
-// (P2, not yet implemented)
-// let index = SemanticIndex::new(recorder.clone()).await?;
-// let results = index.search("find all warm rooms at 3pm", 5).await?;
-// results.iter().for_each(|r| println!("{:?}", r));
-```
-
-## Relation to other HOMECORE crates
-
-```
-homecore-recorder (state history + semantic search)
-├─ homecore (state machine; listens to event bus)
-├─ homecore-api (exposes recorder data via REST query endpoint, P3)
-├─ homecore-automation (can trigger on historical state conditions, P3)
-├─ homecore-server (starts the listener on init)
-└─ ruvector-core (semantic index, P2, optional feature)
-```
-
-## References
-
- [ADR-132: HOMECORE Recorder — History + Semantic Search](../../docs/adr/ADR-132-homecore-recorder-history-semantic-search.md)
- [ADR-126: HOMECORE Home Assistant Port (master)](../../docs/adr/ADR-126-homecore-home-assistant-port.md)
- [Home Assistant Recorder Integration](https://www.home-assistant.io/integrations/recorder/)
- [README — wifi-densepose](../../../README.md)
--- a/v2/crates/homecore-server/README.md
+++ b/v2/crates/homecore-server/README.md
@ -1,181 +0,0 @@
-# homecore-server
-
-Integrated HOMECORE server binary that wires state machine, API, recorder, plugins, automations, intent assistant, and HomeKit bridge into one process.
-
-[![Crates.io](https://img.shields.io/badge/crates.io-workspace%20binary-inactive)](.)
-![License](https://img.shields.io/badge/license-MIT-blue.svg)
-![MSRV: 1.89+](https://img.shields.io/badge/MSRV-1.89%2B-purple.svg)
-[![ADR-126](https://img.shields.io/badge/ADR-126-orange.svg)](../../docs/adr/ADR-126-homecore-home-assistant-port.md)
-
-The production-ready HOMECORE binary — boots all 7 subsystems (core, API, recorder, plugins, automation, assist, HAP bridge) in a single process listening on `:8123`.
-
-## What this crate does
-
-`homecore-server` is the integration point for the entire HOMECORE ecosystem. It orchestrates:
-
-1. **HomeCore runtime** — state machine, event bus, service registry
-2. **REST + WebSocket API** — Axum server on `:8123` (HA-compatible)
-3. **SQLite Recorder** — persists all state changes to disk
-4. **Plugin Registry** — loads and manages integrations (InProcessRuntime by default)
-5. **Automation Engine** — evaluates triggers, conditions, and actions
-6. **Assist Pipeline** — intent recognition and execution
-7. **HAP Bridge** — exposes accessories to HomeKit
-
-All subsystems share the same `HomeCore` instance, so state changes flow through the event bus and trigger automations, record history, and notify WebSocket subscribers in lockstep.
-
-## Features
-
- **Single unified process** — no external microservices; run with `cargo run -p homecore-server`
- **HA-compatible REST API** — drop-in replacement for Home Assistant's `/api/` on `:8123`
- **SQLite state history** — persistent recording of all state changes
- **Automation engine** — YAML-driven trigger→condition→action execution
- **Intent assistant** — regex-based (P1) intent recognition + service calling
- **HomeKit bridge** — exposes HOMECORE entities as HomeKit accessories
- **Plugin system** — load first-party Rust plugins; Wasmtime WASM plugins (P2, `--features wasmtime`)
- **Configurable via CLI + env vars** — no YAML required; sensible defaults
- **Structured logging** — tracing output with `RUST_LOG` filtering
- **Feature-gated subsystems** — disable recorder (`--no-recorder`), enable ruvector/wasmtime as needed
-
-## Subsystems
-
-| Subsystem | Crate | Role | Notes |
-|-----------|-------|------|-------|
-| State Machine | `homecore` | Core domain model | All other subsystems depend on this |
-| REST API | `homecore-api` | HTTP boundary | Listens on `:8123`; Axum framework |
-| Recorder | `homecore-recorder` | Persistence | SQLite; optional `--no-recorder` |
-| Plugins | `homecore-plugins` | Extension system | InProcessRuntime default; Wasmtime w/ feature |
-| Automation | `homecore-automation` | Trigger execution | Subscribes to event bus; YAML-driven |
-| Assist | `homecore-assist` | Intent pipeline | Regex recognizer (P1); semantic (P2) |
-| HAP Bridge | `homecore-hap` | HomeKit export | Accessories + characteristics; mDNS (P2) |
-
-## Usage
-
-**Basic startup** (in-memory recorder):
-
-```bash
-cargo build -p homecore-server
-./target/debug/homecore-server
-# Listens on http://localhost:8123
-```
-
-**With persistent SQLite**:
-
-```bash
-./target/debug/homecore-server \
-  --bind 0.0.0.0:8123 \
-  --db sqlite:~/.homecore/home.db \
-  --location-name "My Home"
-```
-
-**Full feature build** (ruvector semantic search + Wasmtime plugins):
-
-```bash
-cargo build -p homecore-server --features ruvector,wasmtime --release
-```
-
-**Via Docker** (Dockerfile planned P2):
-
-```bash
-docker run -p 8123:8123 \
-  -e HOMECORE_DB=sqlite:///data/home.db \
-  -v ~/.homecore:/data \
-  homecore-server:latest
-```
-
-**Test the API**:
-
-```bash
-# List all entities
-curl http://localhost:8123/api/states
-
-# Set a light to "on"
-curl -X POST \
-  -H "Content-Type: application/json" \
-  -d '{"state":"on","attributes":{"brightness":200}}' \
-  http://localhost:8123/api/states/light.kitchen
-
-# WebSocket subscription (real-time state changes)
-wscat -c ws://localhost:8123/api/websocket
-```
-
-**Configuration via env**:
-
-```bash
-export HOMECORE_BIND="0.0.0.0:8123"
-export HOMECORE_DB="sqlite:~/.homecore/home.db"
-export HOMECORE_LOCATION="Living Room"
-export RUST_LOG="homecore=debug,homecore_api=info"
-./target/debug/homecore-server
-```
-
-## CLI Options
-
-| Flag | Env Var | Default | Description |
-|------|---------|---------|-------------|
-| `--bind` | `HOMECORE_BIND` | `0.0.0.0:8123` | REST API listen address |
-| `--db` | `HOMECORE_DB` | `sqlite::memory:` | SQLite path (`:memory:` for ephemeral) |
-| `--location-name` | `HOMECORE_LOCATION` | `Home` | Friendly name returned by `/api/config` |
-| `--no-recorder` | — | off | Disable SQLite recorder (low-resource deployments) |
-
-## Comparison to Home Assistant
-
-| Aspect | Home Assistant | homecore-server |
-|--------|----------------|-----------------|
-| Architecture | Python asyncio monolith | Rust async Tokio + component traits |
-| API protocol | `/api/` REST (HA wire format) | Identical HA wire format |
-| Persistence | SQLite + YAML files | SQLite (P1); Redis (P2) |
-| Plugins | Python integrations in `homeassistant/components/` | Rust (P1) + WASM (P2) |
-| Automation execution | Python asyncio event loop | Tokio async tasks + trait-based |
-| HomeKit bridge | Via `homekit` integration | Built-in `homecore-hap` subsystem |
-| CLI | `hass` command with config YAML | `homecore-server` with feature flags |
-| Scalability | Single instance (HA Cloud for scale) | Can be load-balanced (future) |
-| Binary size | ~200 MB (Python + deps) | ~50 MB (Rust, release build; 200 MB w/ wasmtime) |
-
-## Performance Targets (unreleased; TBD)
-
- **Startup time** — < 2s to listen on `:8123`
- **REST endpoint latency** — p50 < 1 ms; p99 < 10 ms
- **Event bus throughput** — 10,000+ events/sec
- **Automation evaluation** — < 100 μs per trigger
- **Concurrent WebSocket connections** — 10,000+
- **Memory footprint** — ~100 MB (idle); ~500 MB with 1,000 recorded states
-
-## Development
-
-**Run tests**:
-
-```bash
-cargo test -p homecore-server
-```
-
-**Enable debug logging**:
-
-```bash
-RUST_LOG=debug cargo run -p homecore-server -- --bind 127.0.0.1:8123
-```
-
-**Build documentation**:
-
-```bash
-cargo doc -p homecore-server --open
-```
-
-## Relation to other HOMECORE crates
-
-```
-homecore-server (orchestration binary)
-├── homecore (state machine)
-├── homecore-api (REST + WS)
-├── homecore-recorder (SQLite persistence)
-├── homecore-plugins (extension system)
-├── homecore-automation (trigger execution)
-├── homecore-assist (intent pipeline)
-└── homecore-hap (HomeKit bridge)
-```
-
-## References
-
- [ADR-126: HOMECORE Home Assistant Port (master)](../../docs/adr/ADR-126-homecore-home-assistant-port.md)
- [README — wifi-densepose](../../../README.md)
- [Dockerfile (planned P2)](Dockerfile.planned)
- [Docker Hub image (planned P2)](https://hub.docker.com/r/ruvnet/homecore-server)
--- a/v2/crates/homecore/README.md
+++ b/v2/crates/homecore/README.md
@ -1,131 +0,0 @@
-# homecore
-
-Rust port of Home Assistant's core state machine, event bus, service registry, and entity registry.
-
-[![Crates.io](https://img.shields.io/crates/v/homecore.svg)](https://crates.io/crates/homecore)
-![License](https://img.shields.io/badge/license-MIT-blue.svg)
-![MSRV: 1.89+](https://img.shields.io/badge/MSRV-1.89%2B-purple.svg)
-[![Tests](https://img.shields.io/badge/tests-20%20passing-brightgreen.svg)](https://github.com/ruvnet/RuView)
-[![ADR-127](https://img.shields.io/badge/ADR-127-orange.svg)](../../docs/adr/ADR-127-homecore-state-machine-rust.md)
-
-**P1 scaffold**: foundational types, DashMap-backed state machine, and Tokio broadcast event bus. Persistence and full Home Assistant schema compatibility land in P2.
-
-## What this crate does
-
-`homecore` is the heart of the HOMECORE Home Assistant port. It provides:
-
- **State machine**: a lock-free, concurrent key-value store for entity state snapshots (`EntityId` → `State`)
- **Event bus**: Tokio broadcast channels for system events (`SystemEvent`) and domain events (`DomainEvent`)
- **Service registry**: a stub registry for routing service calls (full mpsc dispatch in P2)
- **Entity registry**: in-memory catalog of all entities with metadata (persistence in P2)
-
-All components are async-first, zero-copy for readers (using `Arc<State>`), and designed for multi-threaded access without global locks.
-
-## Features
-
- **EntityId validation** — strict parsing of `domain.entity_id` format with Unicode rejection
- **Concurrent state reads** — arbitrary tasks can query state without contention
- **Per-entity write serialisation** — DashMap shard-level locking prevents race conditions
- **Typed system events** — `StateChanged`, `EntityRegistered`, `ConfigReloaded` (enum variants)
- **Untyped domain events** — arbitrary JSON-serializable events for integrations
- **Event context tracking** — event-to-event causality chain via `Context::parent` + `user_id`
- **Attribute preservation** — state changes can update `attributes` map without mutating `last_changed` timestamp
-
-## Capabilities
-
-| Capability | Type | Method | Notes |
-|------------|------|--------|-------|
-| Store entity state | State write | `StateMachine::set(entity_id, state, ...)` | Per-shard serial; fires `StateChanged` event |
-| Query entity state | State read | `StateMachine::get(entity_id)` | Zero-copy `Arc<State>` clone; lock-free |
-| List entities by domain | State query | `StateMachine::all_by_domain(domain)` | Filtered snapshot |
-| Fire system event | Event emit | `EventBus::fire_system(event)` | Broadcast to all subscribers |
-| Fire domain event | Event emit | `EventBus::fire_domain(topic, data)` | Untyped JSON event |
-| Subscribe to events | Event receive | `EventBus::subscribe_system()` / `subscribe_domain(topic)` | Tokio broadcast channels |
-| Register entity | Registry write | `EntityRegistry::register(entry)` | In-memory only (P1) |
-| Register service | Service write | `ServiceRegistry::register(name, handler)` | Stub; dispatch in P2 |
-
-## Comparison to Home Assistant
-
-| Aspect | Home Assistant | homecore |
-|--------|----------------|----------|
-| Language | Python 3 | Rust 1.89+ |
-| State store | Python dict + event loop | DashMap + Tokio |
-| Persistence | `core.entity_registry.yaml` + SQLite | In-memory only (P1; SQLite planned P2) |
-| Event bus | Python asyncio queue | Tokio broadcast channels |
-| Schema validation | voluptuous + JSON Schema | serde + custom validators (planned P2) |
-| Thread safety | GIL-bound single-threaded | Lock-free concurrent (DashMap shards) |
-| Service dispatch | asyncio event loop + coroutines | mpsc registry stub (P2) |
-
-## Performance
-
- **Concurrent state read**: lock-free; scales linearly to number of logical CPUs
- **State write latency**: p50 < 100 μs (single shard contention); p99 < 1 ms (24-core machine, 1,000 entities)
- **Event broadcast**: single-producer Tokio broadcast channel; no cloning of large payloads
- **Memory overhead per entity**: ~200 bytes (State struct + Arc header + DashMap shard metadata)
- **No per-crate benchmarks yet** — a follow-up issue tracks baseline measurements
-
-See `benches/state_machine.rs` for the criterion harness (run with `cargo bench -p homecore`).
-
-## Usage
-
-```rust
-use homecore::{HomeCore, EntityId, State};
-use std::collections::HashMap;
-
-#[tokio::main]
-async fn main() {
-    let homecore = HomeCore::new();
-
-    // Set state for a light entity
-    let light_id = EntityId::parse("light.kitchen").expect("valid entity_id");
-    let mut attrs = HashMap::new();
-    attrs.insert("brightness".to_string(), serde_json::json!(200));
-    
-    homecore
-        .state_machine()
-        .set(light_id.clone(), State::new("on", attrs), None, None)
-        .await
-        .expect("set state");
-
-    // Read state (lock-free)
-    let state = homecore
-        .state_machine()
-        .get(&light_id)
-        .await;
-    assert_eq!(state.as_ref().map(|s| s.state.as_str()), Some("on"));
-
-    // Subscribe to state changes
-    let mut rx = homecore.event_bus().subscribe_system();
-    tokio::spawn(async move {
-        while let Ok(event) = rx.recv().await {
-            println!("Event: {:?}", event);
-        }
-    });
-
-    // Fire a domain event
-    homecore
-        .event_bus()
-        .fire_domain("custom_domain", serde_json::json!({"action": "test"}))
-        .await;
-}
-```
-
-## Relation to other HOMECORE crates
-
-```
-homecore (state machine + event bus + registries)
-├─ homecore-api (REST + WebSocket endpoints for state/events)
-├─ homecore-recorder (persistence + ruvector semantic index)
-├─ homecore-plugins (WASM plugin runtime integration)
-├─ homecore-automation (YAML triggers + MiniJinja execution)
-├─ homecore-assist (intent recognition + handlers)
-├─ homecore-hap (Apple HomeKit bridge)
-├─ homecore-migrate (Home Assistant `.storage/` import)
-└─ homecore-server (workspace binary orchestrator)
-```
-
-## References
-
- [ADR-127: HOMECORE State Machine in Rust](../../docs/adr/ADR-127-homecore-state-machine-rust.md)
- [ADR-126: HOMECORE Home Assistant Port (master)](../../docs/adr/ADR-126-homecore-home-assistant-port.md)
- [README — wifi-densepose](../../../README.md)
--- a/457
+++ b/457
@ -1,31 +1,19 @@
 #!/usr/bin/env bash
 # ======================================================================
-#  WiFi-DensePose / RuView — Trust Kill Switch
+#  WiFi-DensePose: Trust Kill Switch
 #
-#  One-command proof replay across every layer of the stack:
-#    1. Python signal-processing pipeline (the original v1 proof)
-#    2. Production-code mock scan (np.random.rand/randn in non-test paths)
-#    3. Rust workspace tests (cargo test --workspace --no-default-features)
-#    4. PyO3 BFLD binding (cargo check -p wifi-densepose-py)
-#    5. ADR-125 §2.1.d invariant — identity_risk_score never crosses
-#    6. Published crates.io tarball SHAs
-#    7. Published npm packages
-#    8. Published Docker image multi-arch manifest
-#    9. Embedded HOMECORE binary in the Docker image (homecore-server)
+#  One-command proof replay that makes "it is mocked" a falsifiable,
+#  measurable claim that fails against evidence.
 #
 #  Usage:
-#    ./verify                Run every phase.
-#    ./verify --quick        Skip slow phases (cargo test, docker pull).
-#    ./verify --rust-only    Only the Rust workspace test phase.
-#    ./verify --docker-only  Only the Docker manifest + binary phase.
-#    ./verify --verbose      Show detailed feature stats in the Python proof.
-#    ./verify --audit        Also scan codebase for mock/random patterns.
-#    ./verify --generate-hash  Regenerate the v1 expected hash (rare).
+#    ./verify           Run the full proof pipeline
+#    ./verify --verbose  Show detailed feature statistics
+#    ./verify --audit    Also scan codebase for mock/random patterns
 #
 #  Exit codes:
-#    0  ALL PHASES PASS (or SKIP gracefully when optional deps missing)
-#    1  Any phase that ran returned FAIL
-#    2  Phase 1 was forced to SKIP (no expected hash file)
+#    0  PASS  -- pipeline hash matches published expected hash
+#    1  FAIL  -- hash mismatch or error
+#    2  SKIP  -- no expected hash file to compare against
 # ======================================================================

 set -euo pipefail
@ -34,310 +22,199 @@ SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
 PROOF_DIR="${SCRIPT_DIR}/archive/v1/data/proof"
 VERIFY_PY="${PROOF_DIR}/verify.py"
 V1_SRC="${SCRIPT_DIR}/archive/v1/src"
-V2_DIR="${SCRIPT_DIR}/v2"
-PY_DIR="${SCRIPT_DIR}/python"

-# Phase toggles (set via flags)
-RUN_PYTHON=1
-RUN_SCAN=1
-RUN_RUST=1
-RUN_PYO3=1
-RUN_INVARIANT=1
-RUN_CRATES=1
-RUN_NPM=1
-RUN_DOCKER=1
-RUN_HOMECORE=1
-
-QUICK=0
-VERBOSE_FLAGS=()
-EXIT_CODE=0
-declare -a SUMMARY
-declare -a EXTRA_ARGS
-
-for arg in "$@"; do
-    case "$arg" in
-        --quick)         QUICK=1 ;;
-        --rust-only)     RUN_PYTHON=0; RUN_SCAN=0; RUN_PYO3=0; RUN_INVARIANT=0; RUN_CRATES=0; RUN_NPM=0; RUN_DOCKER=0; RUN_HOMECORE=0 ;;
-        --docker-only)   RUN_PYTHON=0; RUN_SCAN=0; RUN_RUST=0; RUN_PYO3=0; RUN_INVARIANT=0; RUN_CRATES=0; RUN_NPM=0 ;;
-        --verbose|--audit|--generate-hash) EXTRA_ARGS+=("$arg") ;;
-        -h|--help)
-            sed -n '2,30p' "$0"; exit 0 ;;
-        *) echo "unknown flag: $arg" >&2; exit 2 ;;
-    esac
-done
-if [ $QUICK -eq 1 ]; then
-    RUN_RUST=0
-    RUN_DOCKER=0
-fi
-
-# Colors (no-op without TTY)
+# Colors (disabled if not a terminal)
 if [ -t 1 ]; then
-    RED=$'\033[0;31m'; GREEN=$'\033[0;32m'; YELLOW=$'\033[1;33m'
-    CYAN=$'\033[0;36m'; BOLD=$'\033[1m'; RESET=$'\033[0m'
+    RED='\033[0;31m'
+    GREEN='\033[0;32m'
+    YELLOW='\033[1;33m'
+    CYAN='\033[0;36m'
+    BOLD='\033[1m'
+    RESET='\033[0m'
 else
-    RED=''; GREEN=''; YELLOW=''; CYAN=''; BOLD=''; RESET=''
+    RED=''
+    GREEN=''
+    YELLOW=''
+    CYAN=''
+    BOLD=''
+    RESET=''
 fi

-note_pass() { SUMMARY+=("${GREEN}PASS${RESET}  $1"); }
-note_fail() { SUMMARY+=("${RED}FAIL${RESET}  $1"); EXIT_CODE=1; }
-note_skip() { SUMMARY+=("${YELLOW}SKIP${RESET}  $1"); }
-
-phase() { echo ""; echo -e "${CYAN}[PHASE $1] $2${RESET}"; echo ""; }
-
 echo ""
 echo -e "${BOLD}======================================================================"
-echo "  WiFi-DensePose / RuView — Trust Kill Switch (multi-layer proof)"
+echo "  WiFi-DensePose: Trust Kill Switch"
+echo "  One-command proof that the signal processing pipeline is real."
 echo -e "======================================================================${RESET}"
-
-PYTHON="$(command -v python3 || command -v python || true)"
-[ -z "$PYTHON" ] && { echo -e "${RED}python3 not found — install Python 3${RESET}"; exit 1; }
-$PYTHON --version >/dev/null 2>&1 || { echo "python broken"; exit 1; }
-echo "  python: $($PYTHON --version 2>&1)"
-echo "  repo:   $SCRIPT_DIR"
-git_head="$(cd "$SCRIPT_DIR" && git rev-parse --short HEAD 2>/dev/null || echo unknown)"
-echo "  HEAD:   $git_head"
+echo ""

 # ------------------------------------------------------------------
-# PHASE 1: Python signal-processing proof pipeline (the original)
+# PHASE 1: Environment checks
 # ------------------------------------------------------------------
-if [ $RUN_PYTHON -eq 1 ]; then
-    phase 1 "Python signal-processing pipeline (SHA-256 round-trip)"
-    if [ -f "$VERIFY_PY" ] && [ -f "$PROOF_DIR/sample_csi_data.json" ]; then
-        $PYTHON -c "import numpy, scipy" 2>/dev/null \
-            || { echo -e "  ${RED}numpy or scipy missing — pip install numpy scipy${RESET}"; note_skip "Phase 1: missing numpy/scipy"; }
-        if $PYTHON -c "import numpy, scipy" 2>/dev/null; then
-            P1_EXIT=0
-            $PYTHON "$VERIFY_PY" "${EXTRA_ARGS[@]+"${EXTRA_ARGS[@]}"}" || P1_EXIT=$?
-            case $P1_EXIT in
-                0) note_pass "Phase 1: v1 pipeline hash matches expected" ;;
-                2) note_skip "Phase 1: no expected hash file"; [ $EXIT_CODE -eq 0 ] && EXIT_CODE=2 ;;
-                *) note_fail "Phase 1: v1 pipeline hash mismatch (exit $P1_EXIT)" ;;
-            esac
-        fi
-    else
-        note_skip "Phase 1: verify.py or reference signal not present"
-    fi
+echo -e "${CYAN}[PHASE 1] ENVIRONMENT CHECKS${RESET}"
+echo ""
+
+ERRORS=0
+
+# Check Python
+if command -v python3 &>/dev/null; then
+    PYTHON=python3
+elif command -v python &>/dev/null; then
+    PYTHON=python
+else
+    echo -e "  ${RED}FAIL${RESET}: Python 3 not found. Install python3."
+    exit 1
 fi

-# ------------------------------------------------------------------
-# PHASE 2: Production code mock-pattern scan
-# ------------------------------------------------------------------
-if [ $RUN_SCAN -eq 1 ]; then
-    phase 2 "Production-code mock scan (np.random.rand / np.random.randn)"
-    if [ -d "$V1_SRC" ]; then
-        findings=0
-        while IFS= read -r line; do
-            [ -n "$line" ] && { echo -e "    ${YELLOW}FOUND${RESET}: $line"; findings=$((findings + 1)); }
-        done < <(
-            find "$V1_SRC" -name "*.py" -type f \
-                ! -path "*/testing/*" ! -path "*/tests/*" ! -path "*/test/*" ! -path "*__pycache__*" \
-                -exec grep -Hn 'np\.random\.rand\b\|np\.random\.randn\b' {} \; 2>/dev/null || true
-        )
-        if [ "$findings" -eq 0 ]; then
-            note_pass "Phase 2: no random generators in production code"
-        else
-            note_fail "Phase 2: $findings random-generator call(s) in production code"
-        fi
-    else
-        note_skip "Phase 2: archive/v1/src not present"
-    fi
+PY_VERSION=$($PYTHON --version 2>&1)
+echo "  Python:  $PY_VERSION ($( command -v $PYTHON ))"
+
+# Check numpy
+if $PYTHON -c "import numpy; print(f'  numpy:   {numpy.__version__} ({numpy.__file__})')" 2>/dev/null; then
+    :
+else
+    echo -e "  ${RED}FAIL${RESET}: numpy not installed. Run: pip install numpy"
+    ERRORS=$((ERRORS + 1))
 fi

-# ------------------------------------------------------------------
-# PHASE 3: Rust workspace tests
-# ------------------------------------------------------------------
-if [ $RUN_RUST -eq 1 ]; then
-    phase 3 "Rust workspace tests (cargo test --workspace --no-default-features)"
-    if command -v cargo >/dev/null 2>&1 && [ -d "$V2_DIR" ]; then
-        # `cog-pose-estimation`'s `smoke` integration test grabs an
-        # exclusive file lock that fails with `Access is denied (os
-        # error 5)` on Windows runs. Pre-existing in main (not a
-        # PR-introduced issue), Linux CI is fully green. Exclude the
-        # crate from local Windows runs so Phase 3 reports the rest
-        # honestly. Override with `RUVIEW_RUST_EXCLUDE=""` if you're
-        # on Linux and want the full sweep.
-        EXCLUDE="${RUVIEW_RUST_EXCLUDE:---exclude cog-pose-estimation}"
-        echo "  Running (may take ~2-3 minutes; pass --quick to skip; exclude=\"$EXCLUDE\")..."
-        # set +o pipefail so a grep-with-no-matches inside the command
-        # substitution can return 1 without poisoning the parent
-        # script. Restore right after.
-        set +o pipefail
-        rust_out="$(cd "$V2_DIR" && cargo test --workspace $EXCLUDE --no-default-features --quiet 2>&1 || true)"
-        passed=$(echo "$rust_out" | grep -oE 'test result: ok\. [0-9]+ passed' \
-                 | awk '{sum += $4} END {print sum+0}')
-        failed=$(echo "$rust_out" | grep -oE '[0-9]+ failed' \
-                 | awk '{sum += $1} END {print sum+0}')
-        set -o pipefail
-        passed=${passed:-0}; failed=${failed:-0}
-        if [ "$failed" -eq 0 ] && [ "$passed" -gt 0 ]; then
-            note_pass "Phase 3: $passed Rust tests passed, 0 failed (excluded: $EXCLUDE)"
-        else
-            echo "$rust_out" | tail -10
-            note_fail "Phase 3: Rust workspace tests failed (passed=$passed failed=$failed)"
-        fi
-    else
-        note_skip "Phase 3: cargo or v2/ not present"
-    fi
+# Check scipy
+if $PYTHON -c "import scipy; print(f'  scipy:   {scipy.__version__} ({scipy.__file__})')" 2>/dev/null; then
+    :
+else
+    echo -e "  ${RED}FAIL${RESET}: scipy not installed. Run: pip install scipy"
+    ERRORS=$((ERRORS + 1))
 fi

-# ------------------------------------------------------------------
-# PHASE 4: PyO3 BFLD binding compiles
-# ------------------------------------------------------------------
-if [ $RUN_PYO3 -eq 1 ]; then
-    phase 4 "PyO3 BFLD binding (cargo check -p wifi-densepose-py)"
-    if command -v cargo >/dev/null 2>&1 && [ -f "$PY_DIR/Cargo.toml" ]; then
-        if (cd "$PY_DIR" && cargo check --quiet 2>&1 | tail -10); then
-            note_pass "Phase 4: wifi-densepose-py compiles cleanly"
-        else
-            note_fail "Phase 4: wifi-densepose-py cargo check failed"
-        fi
-    else
-        note_skip "Phase 4: cargo or python/ not present"
-    fi
+# Check proof files exist
+echo ""
+if [ -f "${PROOF_DIR}/sample_csi_data.json" ]; then
+    SIZE=$(wc -c < "${PROOF_DIR}/sample_csi_data.json" | tr -d ' ')
+    echo "  Reference signal: sample_csi_data.json (${SIZE} bytes)"
+else
+    echo -e "  ${RED}FAIL${RESET}: Reference signal not found at ${PROOF_DIR}/sample_csi_data.json"
+    ERRORS=$((ERRORS + 1))
 fi

-# ------------------------------------------------------------------
-# PHASE 5: ADR-125 §2.1.d invariant — identity_risk_score never crosses
-# ------------------------------------------------------------------
-if [ $RUN_INVARIANT -eq 1 ]; then
-    phase 5 "ADR-125 §2.1.d invariant — identity_risk_score never crosses HAP/MCP boundary"
-    bad=0
-    for f in scripts/ruview-sensing-server.py scripts/c6-presence-watcher.py; do
-        if [ -f "$SCRIPT_DIR/$f" ]; then
-            # Each file must set identity_risk_score to None / null somewhere
-            if ! grep -q '"identity_risk_score": None\|"identity_risk_score":None\|identity_risk_score=None' "$SCRIPT_DIR/$f" 2>/dev/null; then
-                # Only flag the sensing-server (the watcher uses it differently)
-                [ "$f" = "scripts/ruview-sensing-server.py" ] && { echo "    $f missing identity_risk_score=None"; bad=$((bad+1)); }
-            fi
-            # Nothing must publish a non-None identity_risk_score
-            if grep -E '"identity_risk_score":\s*[0-9]' "$SCRIPT_DIR/$f" 2>/dev/null; then
-                echo "    $f leaks a numeric identity_risk_score"
-                bad=$((bad+1))
-            fi
-        fi
-    done
-    if [ "$bad" -eq 0 ]; then
-        note_pass "Phase 5: identity_risk_score is None at every gateway script"
-    else
-        note_fail "Phase 5: $bad invariant violation(s)"
-    fi
+if [ -f "${PROOF_DIR}/expected_features.sha256" ]; then
+    EXPECTED=$(cat "${PROOF_DIR}/expected_features.sha256" | tr -d '[:space:]')
+    echo "  Expected hash:    ${EXPECTED}"
+else
+    echo -e "  ${YELLOW}WARN${RESET}: No expected hash file found"
 fi

-# ------------------------------------------------------------------
-# PHASE 6: Published crates.io packages
-# ------------------------------------------------------------------
-if [ $RUN_CRATES -eq 1 ]; then
-    phase 6 "Published crates.io packages"
-    if command -v curl >/dev/null 2>&1; then
-        crates_expected=( "wifi-densepose-core" "wifi-densepose-signal" \
-                         "wifi-densepose-sensing-server" "wifi-densepose-hardware" \
-                         "wifi-densepose-nn" "wifi-densepose-bfld" "wifi-densepose-vitals" \
-                         "wifi-densepose-wifiscan" "wifi-densepose-train" \
-                         "cog-ha-matter" "cog-person-count" "cog-pose-estimation" )
-        ok=0; miss=0
-        for crate in "${crates_expected[@]}"; do
-            ver=$(curl -sf "https://crates.io/api/v1/crates/$crate" 2>/dev/null \
-                  | $PYTHON -c 'import sys,json; print(json.load(sys.stdin).get("crate",{}).get("max_version","?"))' 2>/dev/null) || ver=""
-            if [ -n "$ver" ] && [ "$ver" != "?" ]; then
-                echo "    $crate $ver"
-                ok=$((ok+1))
-            else
-                echo -e "    ${YELLOW}miss${RESET} $crate"
-                miss=$((miss+1))
-            fi
-        done
-        if [ "$miss" -eq 0 ]; then
-            note_pass "Phase 6: $ok/$ok crates on crates.io"
-        else
-            note_fail "Phase 6: $miss of ${#crates_expected[@]} crates missing"
-        fi
-    else
-        note_skip "Phase 6: curl not available"
-    fi
+if [ -f "${VERIFY_PY}" ]; then
+    echo "  Verify script:    ${VERIFY_PY}"
+else
+    echo -e "  ${RED}FAIL${RESET}: verify.py not found at ${VERIFY_PY}"
+    ERRORS=$((ERRORS + 1))
 fi

-# ------------------------------------------------------------------
-# PHASE 7: Published npm packages
-# ------------------------------------------------------------------
-if [ $RUN_NPM -eq 1 ]; then
-    phase 7 "Published npm packages (@ruvnet/rvagent)"
-    if command -v curl >/dev/null 2>&1; then
-        ver=$(curl -sf "https://registry.npmjs.org/@ruvnet/rvagent" 2>/dev/null \
-              | $PYTHON -c 'import sys,json; print(json.load(sys.stdin).get("dist-tags",{}).get("latest","?"))' 2>/dev/null) || ver=""
-        if [ -n "$ver" ] && [ "$ver" != "?" ]; then
-            echo "    @ruvnet/rvagent  $ver"
-            note_pass "Phase 7: @ruvnet/rvagent v$ver on npm"
-        else
-            note_fail "Phase 7: @ruvnet/rvagent not on registry"
-        fi
-    else
-        note_skip "Phase 7: curl not available"
-    fi
+echo ""
+
+if [ $ERRORS -gt 0 ]; then
+    echo -e "${RED}Cannot proceed: $ERRORS prerequisite(s) missing.${RESET}"
+    exit 1
 fi

-# ------------------------------------------------------------------
-# PHASE 8: Docker Hub multi-arch manifest
-# ------------------------------------------------------------------
-if [ $RUN_DOCKER -eq 1 ]; then
-    phase 8 "Docker Hub multi-arch manifest (ruvnet/wifi-densepose:latest)"
-    if command -v docker >/dev/null 2>&1; then
-        manifest="$(docker manifest inspect ruvnet/wifi-densepose:latest 2>&1 || true)"
-        archs="$( { echo "$manifest" | $PYTHON -c 'import sys,json
-try:
-  d=json.loads(sys.stdin.read())
-  print(",".join(sorted({m["platform"]["architecture"] for m in d.get("manifests",[]) if m["platform"]["os"]=="linux"})))
-except Exception: pass' 2>/dev/null; } || true )"
-        if echo "$archs" | grep -q amd64 && echo "$archs" | grep -q arm64; then
-            echo "    archs: $archs"
-            note_pass "Phase 8: multi-arch manifest (amd64 + arm64) live"
-        elif [ -n "$archs" ]; then
-            note_fail "Phase 8: incomplete arch coverage ($archs)"
-        else
-            note_skip "Phase 8: docker manifest unreachable (offline?)"
-        fi
-    else
-        note_skip "Phase 8: docker CLI not available"
-    fi
-fi
+echo -e "  ${GREEN}All prerequisites satisfied.${RESET}"
+echo ""

 # ------------------------------------------------------------------
-# PHASE 9: HOMECORE binary embedded in the Docker image
+# PHASE 2: Run the proof pipeline
 # ------------------------------------------------------------------
-if [ $RUN_HOMECORE -eq 1 ]; then
-    phase 9 "HOMECORE binary in Docker image (homecore-server --help)"
-    if command -v docker >/dev/null 2>&1; then
-        help_out="$(docker run --rm --entrypoint /app/homecore-server ruvnet/wifi-densepose:latest --help 2>&1)" || help_out=""
-        if echo "$help_out" | grep -q "0.0.0.0:8123"; then
-            note_pass "Phase 9: homecore-server present, binds :8123 by default"
-        elif [ -n "$help_out" ]; then
-            note_fail "Phase 9: homecore-server help output unexpected"
-        else
-            note_skip "Phase 9: docker pull or run unavailable"
-        fi
-    else
-        note_skip "Phase 9: docker CLI not available"
+echo -e "${CYAN}[PHASE 2] PROOF PIPELINE REPLAY${RESET}"
+echo ""
+
+# Pass through any flags (--verbose, --audit, --generate-hash)
+PIPELINE_EXIT=0
+$PYTHON "${VERIFY_PY}" "$@" || PIPELINE_EXIT=$?
+
+echo ""
+
+# ------------------------------------------------------------------
+# PHASE 3: Mock/random scan of production codebase
+# ------------------------------------------------------------------
+echo -e "${CYAN}[PHASE 3] PRODUCTION CODE INTEGRITY SCAN${RESET}"
+echo ""
+echo "  Scanning ${V1_SRC} for np.random.rand / np.random.randn calls..."
+echo "  (Excluding v1/src/testing/ -- test helpers are allowed to use random.)"
+echo ""
+
+MOCK_FINDINGS=0
+
+# Scan for np.random.rand and np.random.randn in production code
+# We exclude testing/ directories
+while IFS= read -r line; do
+    if [ -n "$line" ]; then
+        echo -e "    ${YELLOW}FOUND${RESET}: $line"
+        MOCK_FINDINGS=$((MOCK_FINDINGS + 1))
    fi
+done < <(
+    find "${V1_SRC}" -name "*.py" -type f \
+        ! -path "*/testing/*" \
+        ! -path "*/tests/*" \
+        ! -path "*/test/*" \
+        ! -path "*__pycache__*" \
+        -exec grep -Hn 'np\.random\.rand\b\|np\.random\.randn\b' {} \; 2>/dev/null || true
+)
+
+if [ $MOCK_FINDINGS -eq 0 ]; then
+    echo -e "  ${GREEN}CLEAN${RESET}: No np.random.rand/randn calls in production code."
+else
+    echo ""
+    echo -e "  ${YELLOW}WARNING${RESET}: Found ${MOCK_FINDINGS} random generator call(s) in production code."
+    echo "  These should be reviewed -- production signal processing should"
+    echo "  never generate random data."
 fi

+echo ""
+
 # ------------------------------------------------------------------
 # FINAL SUMMARY
 # ------------------------------------------------------------------
-echo ""
 echo -e "${BOLD}======================================================================${RESET}"
-echo -e "${BOLD}  SUMMARY (HEAD $git_head)${RESET}"
-echo ""
-for line in "${SUMMARY[@]}"; do
-    printf "  %b\n" "$line"
-done
-echo ""

-if [ $EXIT_CODE -eq 0 ]; then
-    echo -e "  ${GREEN}${BOLD}OVERALL: PASS${RESET} — every phase that ran proved its layer of the stack."
-elif [ $EXIT_CODE -eq 2 ]; then
-    echo -e "  ${YELLOW}${BOLD}OVERALL: SKIPPED${RESET} — Phase 1 had no expected hash to compare (run with --generate-hash)."
+if [ $PIPELINE_EXIT -eq 0 ]; then
+    echo ""
+    echo -e "  ${GREEN}${BOLD}RESULT: PASS${RESET}"
+    echo ""
+    echo "  The production pipeline replayed the published reference signal"
+    echo "  and produced a SHA-256 hash that MATCHES the published expected hash."
+    echo ""
+    echo "  What this proves:"
+    echo "    - The signal processing code is REAL (not mocked)"
+    echo "    - The pipeline is DETERMINISTIC (same input -> same hash)"
+    echo "    - The code path includes: noise filtering, Hamming windowing,"
+    echo "      amplitude normalization, FFT-based Doppler extraction,"
+    echo "      and power spectral density computation via scipy.fft"
+    echo "    - No randomness was injected (the hash is exact)"
+    echo ""
+    echo "  To falsify: change any signal processing code and re-run."
+    echo "  The hash will break. That is the point."
+    echo ""
+    if [ $MOCK_FINDINGS -eq 0 ]; then
+        echo -e "  Mock scan: ${GREEN}CLEAN${RESET} (no random generators in production code)"
+    else
+        echo -e "  Mock scan: ${YELLOW}${MOCK_FINDINGS} finding(s)${RESET} (review recommended)"
+    fi
+    echo ""
+    echo -e "${BOLD}======================================================================${RESET}"
+    exit 0
+elif [ $PIPELINE_EXIT -eq 2 ]; then
+    echo ""
+    echo -e "  ${YELLOW}${BOLD}RESULT: SKIP${RESET}"
+    echo ""
+    echo "  No expected hash file to compare against."
+    echo "  Run: python v1/data/proof/verify.py --generate-hash"
+    echo ""
+    echo -e "${BOLD}======================================================================${RESET}"
+    exit 2
 else
-    echo -e "  ${RED}${BOLD}OVERALL: FAIL${RESET} — at least one phase did not match its published evidence."
+    echo ""
+    echo -e "  ${RED}${BOLD}RESULT: FAIL${RESET}"
+    echo ""
+    echo "  The pipeline hash does NOT match the expected hash."
+    echo "  Something changed in the signal processing code."
+    echo ""
+    echo -e "${BOLD}======================================================================${RESET}"
+    exit 1
 fi
-echo ""
-echo -e "${BOLD}======================================================================${RESET}"
-exit $EXIT_CODE