Automated release from CI pipeline
Changes:
cog-ha-matter (ADR-116 P4): pure witness hash-chain primitive
Second P4 unit: an append-only SHA-256 hash chain for tamper-evident
audit logging. ADR-116 §2.2 promised this for healthcare /
education / shared-housing deployments — this lands the primitive
with no key dependency so the next iter can layer Ed25519 signing
on top without touching the chain itself.
Module shape:
WitnessHash([u8; 32])newtype +WitnessHash::GENESISsentinelWitnessEvent { seq, prev_hash, ts, kind, payload, this_hash }
— once committed, every field is immutableWitnessChain—append,tip,verify,eventscanonical_bytes— length-prefixed serialization that prevents
the classic concatenation forgery
(abc|def≠ab|cdef)WitnessVerifyError— auditor-friendly error withat: usize
on every variant (SeqGap, PrevHashMismatch, HashMismatch)
13 new tests covering both happy path and active tampering:
- genesis hash all-zeros
- empty chain tip is genesis
- canonical bytes length-prefixed (anti-forgery)
- canonical bytes start with prev_hash (wire-format lock)
- append links to prev_hash
- seq monotonic from 0
- verify passes on clean chain
- verify catches tampered payload (fires HashMismatch)
- verify catches broken prev_hash link
- verify catches seq gap
- hash hex is 64 lowercase chars
- first event prev_hash == GENESIS (auditor anchor)
- different payloads → different hashes
Hash-chain over Merkle is the right tradeoff for the cog's event
rate (a few/min steady, dozens during a fall) — linear scan is
fine and we save the Merkle complexity for a future tier when
chains span days.
34/34 cog tests green (21 → 34).
ADR-116 P4 row updated to enumerate the three P4 sub-units shipped /
pending: (a) mDNS record-builder ✅, (b) witness hash-chain ✅, (c)
responder + embedded broker + Ed25519 signing pending.
Co-Authored-By: claude-flow ruv@ruv.net
Docker Image:
ghcr.io/ruvnet/RuView:fe913b0ea7b01b15fae931148282a3a8f761def1