Mirrors v2/crates/cog-pose-estimation/cog/ so the Seed runtime
treats cog-ha-matter identically — `cognitum cog install ha-matter`
behaves like `cognitum cog install pose-estimation`.
Files:
* cog/manifest.template.json — 9-field manifest with {{VERSION}}
+ {{ARCH}} slots, hand-edited by the Makefile signer
* cog/Makefile — same target set as cog-pose-estimation:
build / build-arm / build-x86_64
sign / sign-arm / sign-x86_64 (Ed25519 step is TODO,
blocked on COGNITUM_OWNER_SIGNING_KEY provisioning —
same blocker as cog-pose-estimation)
upload / upload-arm / upload-x86_64
manifest (delegates to `cargo run -- --print-manifest`)
release (= build + sign + upload + manifest)
verify (sha256sum vs sidecar)
clean
Adds `mkdir -p dist` to build steps so the gitignored dist/
folder is created on first build.
* cog/README.md — what this cog does, layout map, local dry-run
instructions, gcloud auth requirements, the JSON snippet to
paste into app-registry.json (in the separate cognitum-one
repo, not this one)
Local dist/ is intentionally not committed: top-level .gitignore
matches `dist/` globally, the Makefile creates it on demand.
What this commit does NOT do (P8 remaining):
* cross-compile build (needs `rustup target add
aarch64-unknown-linux-gnu x86_64-unknown-linux-gnu` + linker)
* sign the binaries (COGNITUM_OWNER_SIGNING_KEY not provisioned)
* gsutil cp to gs://cognitum-apps/ (needs user's gcloud auth)
* append to app-registry.json (lives in cognitum-one repo —
separate PR there)
Next iter: a CI workflow that runs `make build sign verify` on
tag-push, so the local-side pipeline is fully exercised even
without the production credentials.
Co-Authored-By: claude-flow <ruv@ruv.net>
|
||
|---|---|---|
| .. | ||
| Makefile | ||
| README.md | ||
| manifest.template.json | ||
README.md
HA-Matter Cog Packaging
Build / sign / upload pipeline for cog-ha-matter, mirroring the
cog-pose-estimation precedent so the
Seed runtime treats both cogs identically.
See ADR-100 — Cog Packaging Specification and ADR-116 — HA-Matter Seed Cog.
What this cog does
Wraps the ADR-115 HA-DISCO + HA-MIND MQTT publisher as a Seed-installable artifact with:
- mDNS auto-discovery (
_ruview-ha._tcp) - Ed25519-signed witness chain for tamper-evident audit logs
- Privacy-mode flag (only semantic primitives, no biometrics)
- One-flag deferral to v0.7 for the embedded broker / v0.8 for the Matter Bridge
Layout
| File | Purpose |
|---|---|
manifest.template.json |
Build-time manifest with {{VERSION}} / {{ARCH}} slots; make manifest substitutes them |
Makefile |
build / sign / upload / release / verify / clean targets |
dist/ |
Created by make build; gitignored, holds release binaries + sha256 + sig |
Local build (dry-run)
cd v2/crates/cog-ha-matter/cog
make build # builds aarch64 + x86_64 release binaries
make sign # writes .sha256 + (TODO) .sig sidecars
make manifest # prints the manifest the Seed would record
make sign is currently a no-op for the signature itself — the
COGNITUM_OWNER_SIGNING_KEY provisioning is the same TODO that
blocks cog-pose-estimation.
Until then, dev cogs ship unsigned and app-registry.json lists
them with "binary_signature": "".
Upload (requires gcloud auth)
gcloud auth login
make upload # gsutil cp dist/* gs://cognitum-apps/cogs/{arch}/
The GCS bucket is shared with cog-pose-estimation and is part of
the cognitum-apps project. Write access requires membership in the
cog-publishers IAM group.
app-registry.json
Lives in the cognitum-one
repo, not here. After make upload succeeds, file a PR there
that appends:
{
"id": "ha-matter",
"version": "<the version make manifest printed>",
"binary_url": "https://storage.googleapis.com/cognitum-apps/cogs/{arch}/cog-ha-matter-{arch}",
"binary_sha256": "<from dist/cog-cog-ha-matter-{arch}.sha256>",
"binary_signature": "<from dist/cog-cog-ha-matter-{arch}.sig — empty until signing is wired>",
"description": "Home Assistant + Matter Cognitum Seed cog (mDNS + witness chain)",
"min_seed_version": "0.6.0",
"installable_on": ["arm", "x86_64"]
}