berkus
/
wifi-densepose
mirror of https://github.com/ruvnet/wifi-densepose.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
wifi-densepose/v2/crates/cog-ha-matter/cog
History
ruv be4efecbcd cog-ha-matter (ADR-116 P8): app-registry entry stub + release checklist 
Two closing P8 deliverables that complete the local-side publishing
scaffolding. The remaining work is all credential-bearing user
action.

1. `cog/app-registry-entry.json` — the exact JSON payload to paste
   into cognitum-one's `app-registry.json`. Schema discovered by
   fetching the live registry (105 cogs, 11 categories) and
   matching the existing `ruview-densepose` entry verbatim. Keys:

     id, name, category, version, size_kb, difficulty, description,
     featured, config[], sha256, binary_size

   cog-ha-matter slots in under `category: "building"` (smart home
   / building automation — the natural HA / Matter category, vs
   `network` which is more about transport bridges).

   7 config[] entries mirror our CLI surface:
     sensing_url, mqtt_host, mqtt_port, privacy_mode,
     mdns_hostname, mdns_ipv4, no_mdns

   Two post-build fields left as `<FILL_IN_...>` markers:
     sha256       (paste from the workflow artifact's .sha256)
     binary_size  (wc -c < the binary)

   Schema validated: all 10 required keys present, parses as JSON.

2. `cog/RELEASE-CHECKLIST.md` — one-page mechanical playbook with
   four explicit "🔑 USER ACTION" gates. Each gate names exactly
   what the user (or org admin) has to do that the pipeline cannot:

     a) provision GCP_CREDENTIALS + HAS_GCP_CREDENTIALS org var
     b) provision COGNITUM_OWNER_SIGNING_KEY GH secret
     c) gcloud auth login (only if uploading locally)
     d) PR app-registry.json into cognitum-one

   Plus pre-release test gate, tag-push command, post-release
   verification curl, and a rollback procedure using GCS object
   versioning (per ADR-100 §"GCS misconfiguration risks").

Stop-condition check (cron's predicate: "ALL local-side publishing
scaffolding is complete and the only remaining work requires user
action"):

   cog/manifest.template.json
   cog/Makefile (build / sign / upload / verify / clean)
   cog/README.md
   cog/app-registry-entry.json (this commit)
   cog/RELEASE-CHECKLIST.md (this commit)
   .github/workflows/cog-ha-matter-release.yml (3 jobs, gated)
   dist/ handling (gitignored, created by make)

  🔑 4 user-action gates explicitly enumerated in the checklist

The cron should STOP after this iter — the local-side scaffolding
is complete and the remaining work is the four named credential
gates that the pipeline cannot self-serve.

Co-Authored-By: claude-flow <ruv@ruv.net>
 		2026-05-23 23:12:14 -04:00
..
Makefile cog-ha-matter (ADR-116 P8): CI release workflow + fix inherited filename bug 2026-05-23 23:05:54 -04:00
README.md cog-ha-matter (ADR-116 P8): CI release workflow + fix inherited filename bug 2026-05-23 23:05:54 -04:00
RELEASE-CHECKLIST.md cog-ha-matter (ADR-116 P8): app-registry entry stub + release checklist 2026-05-23 23:12:14 -04:00
app-registry-entry.json cog-ha-matter (ADR-116 P8): app-registry entry stub + release checklist 2026-05-23 23:12:14 -04:00
manifest.template.json cog-ha-matter (ADR-116 P8): scaffold cog/ publishing layout 2026-05-23 22:55:44 -04:00

README.md

HA-Matter Cog Packaging

Build / sign / upload pipeline for cog-ha-matter, mirroring the cog-pose-estimation precedent so the Seed runtime treats both cogs identically.

See ADR-100 — Cog Packaging Specification and ADR-116 — HA-Matter Seed Cog.

What this cog does

Wraps the ADR-115 HA-DISCO + HA-MIND MQTT publisher as a Seed-installable artifact with:

  • mDNS auto-discovery (_ruview-ha._tcp)
  • Ed25519-signed witness chain for tamper-evident audit logs
  • Privacy-mode flag (only semantic primitives, no biometrics)
  • One-flag deferral to v0.7 for the embedded broker / v0.8 for the Matter Bridge

Layout

File Purpose
manifest.template.json Build-time manifest with {{VERSION}} / {{ARCH}} slots; make manifest substitutes them
Makefile build / sign / upload / release / verify / clean targets
dist/ Created by make build; gitignored, holds release binaries + sha256 + sig

Local build (dry-run)

cd v2/crates/cog-ha-matter/cog
make build          # builds aarch64 + x86_64 release binaries
make sign           # writes .sha256 + (TODO) .sig sidecars
make manifest       # prints the manifest the Seed would record

make sign is currently a no-op for the signature itself — the COGNITUM_OWNER_SIGNING_KEY provisioning is the same TODO that blocks cog-pose-estimation. Until then, dev cogs ship unsigned and app-registry.json lists them with "binary_signature": "".

Upload (requires gcloud auth)

gcloud auth login
make upload         # gsutil cp dist/* gs://cognitum-apps/cogs/{arch}/

The GCS bucket is shared with cog-pose-estimation and is part of the cognitum-apps project. Write access requires membership in the cog-publishers IAM group.

app-registry.json

Lives in the cognitum-one repo, not here. After make upload succeeds, file a PR there that appends:

{
  "id": "ha-matter",
  "version": "<the version make manifest printed>",
  "binary_url": "https://storage.googleapis.com/cognitum-apps/cogs/{arch}/cog-ha-matter-{arch}",
  "binary_sha256": "<from dist/cog-ha-matter-{arch}.sha256>",
  "binary_signature": "<from dist/cog-ha-matter-{arch}.sig — empty until signing is wired>",
  "description": "Home Assistant + Matter Cognitum Seed cog (mDNS + witness chain)",
  "min_seed_version": "0.6.0",
  "installable_on": ["arm", "x86_64"]
}