fix(dashboard): settings drawer scrim covers viewport (host transform fix)

* fix(ci): wasm-pack PATH + Dockerfile workspace stub Closes the two post-merge failures from #436: 1. wasm-pack: command not found — cargo install doesn't reliably leave the binary on PATH. Switched to the canonical installer in both the Pages and a11y workflows. 2. nvsim-server Docker build — cargo couldn't resolve workspace.dependencies from a partial copy. Dockerfile now generates a stub workspace Cargo.toml inline that lists just nvsim + nvsim-server. Co-Authored-By: claude-flow <ruv@ruv.net> * fix(dashboard): settings drawer scrim — escape host transform's containing-block trap The drawer's :host had transform: translateX(...) which makes it the containing block for any fixed-position descendants. The .scrim at 'position: fixed; inset: 0' therefore covered only the drawer's own 420 px panel area, not the viewport. Visible symptoms: - Page behind the drawer didn't dim - Click outside the drawer didn't dismiss it (no scrim to receive) - Felt like the drawer wasn't really 'modal' Fix: keep :host as a fixed full-viewport overlay (no transform), move the drawer body into an inner .panel div, transform only that. Now the scrim covers the viewport correctly and outside-clicks dismiss. Same trap exists nowhere else; nv-modal already follows this pattern. Co-Authored-By: claude-flow <ruv@ruv.net>
fix(ci): wasm-pack PATH + Dockerfile workspace stub (#440 )
2026-04-28 05:59:32 +00:00 · 2026-04-27 13:59:34 -04:00 · 2026-04-27 12:49:03 -04:00 · 2026-04-27 12:41:01 -04:00 · 2026-04-26 02:22:26 -04:00 · 2026-04-26 02:21:40 -04:00
1026 changed files with 232717 additions and 942 deletions
--- a/.claude-flow/.trend-cache.json
+++ b/.claude-flow/.trend-cache.json
@ -0,0 +1 @@
+{"intelligence":7,"timestamp":1774922079152}
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -62,6 +62,32 @@ jobs:
          bandit-report.json
          safety-report.json

+  # Rust Workspace Tests
+  rust-tests:
+    name: Rust Workspace Tests
+    runs-on: ubuntu-latest
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v4
+
+    - name: Install Rust toolchain
+      uses: dtolnay/rust-toolchain@stable
+
+    - name: Cache cargo
+      uses: actions/cache@v4
+      with:
+        path: |
+          ~/.cargo/registry
+          ~/.cargo/git
+          v2/target
+        key: ${{ runner.os }}-cargo-${{ hashFiles('v2/Cargo.lock') }}
+        restore-keys: |
+          ${{ runner.os }}-cargo-
+
+    - name: Run Rust tests
+      working-directory: v2
+      run: cargo test --workspace --no-default-features
+
  # Unit and Integration Tests
  test:
    name: Tests
@ -183,7 +209,7 @@ jobs:
  docker-build:
    name: Docker Build & Test
    runs-on: ubuntu-latest
-    needs: [code-quality, test]
+    needs: [code-quality, test, rust-tests]
    steps:
    - name: Checkout code
      uses: actions/checkout@v4
@ -282,28 +308,29 @@ jobs:
  notify:
    name: Notify
    runs-on: ubuntu-latest
-    needs: [code-quality, test, performance-test, docker-build, docs]
+    needs: [code-quality, test, rust-tests, performance-test, docker-build, docs]
    if: always()
+    # GitHub Actions does not allow `secrets.X` directly in step-level `if:`
+    # expressions — only `env.X`. Promote the secret to env at job scope so
+    # the gating expression below is parseable.
+    env:
+      SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
    steps:
    - name: Notify Slack on success
-      if: ${{ secrets.SLACK_WEBHOOK_URL != '' && needs.code-quality.result == 'success' && needs.test.result == 'success' && needs.docker-build.result == 'success' }}
+      if: ${{ env.SLACK_WEBHOOK_URL != '' && needs.code-quality.result == 'success' && needs.test.result == 'success' && needs.docker-build.result == 'success' }}
      uses: 8398a7/action-slack@v3
      with:
        status: success
        channel: '#ci-cd'
        text: '✅ CI pipeline completed successfully for ${{ github.ref }}'
-      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}

    - name: Notify Slack on failure
-      if: ${{ secrets.SLACK_WEBHOOK_URL != '' && (needs.code-quality.result == 'failure' || needs.test.result == 'failure' || needs.docker-build.result == 'failure') }}
+      if: ${{ env.SLACK_WEBHOOK_URL != '' && (needs.code-quality.result == 'failure' || needs.test.result == 'failure' || needs.docker-build.result == 'failure') }}
      uses: 8398a7/action-slack@v3
      with:
        status: failure
        channel: '#ci-cd'
        text: '❌ CI pipeline failed for ${{ github.ref }}'
-      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}

    - name: Create GitHub Release
      if: github.ref == 'refs/heads/main' && needs.docker-build.result == 'success'
--- a/.github/workflows/dashboard-a11y.yml
+++ b/.github/workflows/dashboard-a11y.yml
@ -0,0 +1,46 @@
+name: Dashboard a11y + cross-browser
+
+# Runs axe-core a11y assertions on the built dashboard across
+# Chromium, Firefox, and WebKit. Closes ADR-092 §11.5 (axe-core)
+# and §11.8 (cross-browser).
+
+on:
+  push:
+    branches: [main]
+    paths: ['dashboard/**', 'v2/crates/nvsim/**']
+  pull_request:
+    paths: ['dashboard/**']
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  a11y:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: dtolnay/rust-toolchain@stable
+        with: { targets: wasm32-unknown-unknown }
+
+      - name: Install wasm-pack
+        run: curl https://rustwasm.github.io/wasm-pack/installer/init.sh -sSf | sh
+
+      - name: Build nvsim WASM
+        working-directory: v2
+        run: |
+          wasm-pack build crates/nvsim --target web \
+            --out-dir ../../dashboard/public/nvsim-pkg \
+            --release -- --no-default-features --features wasm
+
+      - uses: actions/setup-node@v4
+        with: { node-version: 20, cache: npm, cache-dependency-path: dashboard/package-lock.json }
+
+      - working-directory: dashboard
+        run: |
+          npm ci
+          npm install --save-dev @playwright/test @axe-core/playwright
+          npx playwright install --with-deps
+          npm run build
+          npx playwright test
--- a/.github/workflows/dashboard-pages.yml
+++ b/.github/workflows/dashboard-pages.yml
@ -0,0 +1,87 @@
+name: nvsim Dashboard → GitHub Pages
+
+# Deploys the nvsim Vite/Lit dashboard to gh-pages/nvsim/ — preserving
+# the existing observatory/, pose-fusion/, and root index.html demos
+# already published from gh-pages. ADR-092 §9.
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - 'v2/crates/nvsim/**'
+      - 'dashboard/**'
+      - '.github/workflows/dashboard-pages.yml'
+  workflow_dispatch:
+
+permissions:
+  contents: write
+
+concurrency:
+  group: dashboard-pages
+  cancel-in-progress: true
+
+jobs:
+  build-and-deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout main
+        uses: actions/checkout@v4
+
+      - name: Install Rust + wasm32 target
+        uses: dtolnay/rust-toolchain@stable
+        with:
+          targets: wasm32-unknown-unknown
+
+      - name: Cache cargo registry
+        uses: actions/cache@v4
+        with:
+          path: |
+            ~/.cargo/registry
+            ~/.cargo/git
+            v2/target
+          key: ${{ runner.os }}-cargo-nvsim-${{ hashFiles('v2/Cargo.lock') }}
+          restore-keys: ${{ runner.os }}-cargo-nvsim-
+
+      - name: Install wasm-pack
+        run: |
+          curl https://rustwasm.github.io/wasm-pack/installer/init.sh -sSf | sh
+          which wasm-pack
+
+      - name: Build nvsim WASM
+        working-directory: v2
+        run: |
+          wasm-pack build crates/nvsim \
+            --target web \
+            --out-dir ../../dashboard/public/nvsim-pkg \
+            --release \
+            -- --no-default-features --features wasm
+
+      - name: Setup Node 20
+        uses: actions/setup-node@v4
+        with:
+          node-version: 20
+          cache: npm
+          cache-dependency-path: dashboard/package-lock.json
+
+      - name: Install dashboard deps
+        working-directory: dashboard
+        run: npm ci
+
+      - name: Build dashboard
+        working-directory: dashboard
+        env:
+          NVSIM_BASE: /RuView/nvsim/
+        run: npm run build
+
+      - name: Deploy to gh-pages/nvsim/
+        uses: peaceiris/actions-gh-pages@v4
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          publish_dir: ./dashboard/dist
+          destination_dir: nvsim
+          # CRITICAL: preserves observatory/, pose-fusion/, root index.html
+          # and any other RuView demos already on gh-pages.
+          keep_files: true
+          commit_message: 'deploy(nvsim): ${{ github.sha }}'
+          user_name: 'github-actions[bot]'
+          user_email: 'github-actions[bot]@users.noreply.github.com'
--- a/.github/workflows/desktop-release.yml
+++ b/.github/workflows/desktop-release.yml
@ -40,18 +40,18 @@ jobs:
          targets: ${{ matrix.target }}

      - name: Install frontend dependencies
-        working-directory: rust-port/wifi-densepose-rs/crates/wifi-densepose-desktop/ui
+        working-directory: v2/crates/wifi-densepose-desktop/ui
        run: npm ci

      - name: Build frontend
-        working-directory: rust-port/wifi-densepose-rs/crates/wifi-densepose-desktop/ui
+        working-directory: v2/crates/wifi-densepose-desktop/ui
        run: npm run build

      - name: Install Tauri CLI
        run: cargo install tauri-cli --version "^2.0.0"

      - name: Build Tauri app
-        working-directory: rust-port/wifi-densepose-rs/crates/wifi-densepose-desktop
+        working-directory: v2/crates/wifi-densepose-desktop
        run: cargo tauri build --target ${{ matrix.target }}
        env:
          TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
@ -68,14 +68,14 @@ jobs:

      - name: Package macOS app
        run: |
-          cd rust-port/wifi-densepose-rs/target/${{ matrix.target }}/release/bundle/macos
+          cd v2/target/${{ matrix.target }}/release/bundle/macos
          zip -r "RuView-Desktop-${{ github.event.inputs.version || '0.4.0' }}-macos-${{ steps.arch.outputs.arch }}.zip" "RuView Desktop.app"

      - name: Upload macOS artifact
        uses: actions/upload-artifact@v4
        with:
          name: ruview-macos-${{ steps.arch.outputs.arch }}
-          path: rust-port/wifi-densepose-rs/target/${{ matrix.target }}/release/bundle/macos/*.zip
+          path: v2/target/${{ matrix.target }}/release/bundle/macos/*.zip

  build-windows:
    name: Build Windows
@ -93,18 +93,18 @@ jobs:
        uses: dtolnay/rust-toolchain@stable

      - name: Install frontend dependencies
-        working-directory: rust-port/wifi-densepose-rs/crates/wifi-densepose-desktop/ui
+        working-directory: v2/crates/wifi-densepose-desktop/ui
        run: npm ci

      - name: Build frontend
-        working-directory: rust-port/wifi-densepose-rs/crates/wifi-densepose-desktop/ui
+        working-directory: v2/crates/wifi-densepose-desktop/ui
        run: npm run build

      - name: Install Tauri CLI
        run: cargo install tauri-cli --version "^2.0.0"

      - name: Build Tauri app
-        working-directory: rust-port/wifi-densepose-rs/crates/wifi-densepose-desktop
+        working-directory: v2/crates/wifi-densepose-desktop
        run: cargo tauri build
        env:
          TAURI_SIGNING_PRIVATE_KEY: ${{ secrets.TAURI_SIGNING_PRIVATE_KEY }}
@ -114,13 +114,13 @@ jobs:
        uses: actions/upload-artifact@v4
        with:
          name: ruview-windows-msi
-          path: rust-port/wifi-densepose-rs/target/release/bundle/msi/*.msi
+          path: v2/target/release/bundle/msi/*.msi

      - name: Upload Windows NSIS artifact
        uses: actions/upload-artifact@v4
        with:
          name: ruview-windows-nsis
-          path: rust-port/wifi-densepose-rs/target/release/bundle/nsis/*.exe
+          path: v2/target/release/bundle/nsis/*.exe

  create-release:
    name: Create Release
--- a/.github/workflows/firmware-ci.yml
+++ b/.github/workflows/firmware-ci.yml
@ -12,31 +12,50 @@ on:

 jobs:
  build:
-    name: Build ESP32-S3 Firmware
+    name: Build ESP32-S3 Firmware (${{ matrix.variant }})
    runs-on: ubuntu-latest
    container:
      image: espressif/idf:v5.4
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - variant: 8mb
+            sdkconfig: sdkconfig.defaults
+            partition_table_name: partitions_display.csv
+            size_limit_kb: 1100
+            artifact_app: esp32-csi-node.bin
+            artifact_pt: partition-table.bin
+          - variant: 4mb
+            sdkconfig: sdkconfig.defaults.4mb
+            partition_table_name: partitions_4mb.csv
+            size_limit_kb: 1100
+            artifact_app: esp32-csi-node-4mb.bin
+            artifact_pt: partition-table-4mb.bin

    steps:
      - uses: actions/checkout@v4

-      - name: Build firmware
+      - name: Build firmware (${{ matrix.variant }})
        working-directory: firmware/esp32-csi-node
        run: |
          . $IDF_PATH/export.sh
+          if [ "${{ matrix.variant }}" != "8mb" ]; then
+            cp "${{ matrix.sdkconfig }}" sdkconfig.defaults
+          fi
          idf.py set-target esp32s3
          idf.py build

-      - name: Verify binary size (< 1100 KB gate)
+      - name: Verify binary size (< ${{ matrix.size_limit_kb }} KB gate)
        working-directory: firmware/esp32-csi-node
        run: |
          BIN=build/esp32-csi-node.bin
          SIZE=$(stat -c%s "$BIN")
-          MAX=$((1100 * 1024))
+          MAX=$((${{ matrix.size_limit_kb }} * 1024))
          echo "Binary size: $SIZE bytes ($(( SIZE / 1024 )) KB)"
-          echo "Size limit:  $MAX bytes (1100 KB — includes WASM runtime + HTTP client for Seed swarm bridge)"
+          echo "Size limit:  $MAX bytes (${{ matrix.size_limit_kb }} KB)"
          if [ "$SIZE" -gt "$MAX" ]; then
-            echo "::error::Firmware binary exceeds 1100 KB size gate ($SIZE > $MAX)"
+            echo "::error::Firmware binary exceeds ${{ matrix.size_limit_kb }} KB size gate ($SIZE > $MAX)"
            exit 1
          fi
          echo "Binary size OK: $SIZE <= $MAX"
@ -47,14 +66,11 @@ jobs:
          ERRORS=0
          BIN=build/esp32-csi-node.bin

-          # Check binary exists and is non-empty.
          if [ ! -s "$BIN" ]; then
            echo "::error::Binary not found or empty"
            exit 1
          fi

-          # Check partition table magic (0xAA50 at offset 0).
-          # Use od instead of xxd (xxd not available in espressif/idf container).
          PT=build/partition_table/partition-table.bin
          if [ -f "$PT" ]; then
            MAGIC=$(od -A n -t x1 -N 2 "$PT" | tr -d ' ')
@ -64,14 +80,12 @@ jobs:
            fi
          fi

-          # Check bootloader exists.
          BL=build/bootloader/bootloader.bin
          if [ ! -s "$BL" ]; then
            echo "::warning::Bootloader binary missing or empty"
            ERRORS=$((ERRORS + 1))
          fi

-          # Verify non-zero data in binary (not all 0xFF padding).
          NONZERO=$(od -A n -t x1 -N 1024 "$BIN" | tr -d ' f\n' | wc -c)
          if [ "$NONZERO" -lt 100 ]; then
            echo "::error::Binary appears to be mostly padding (non-zero chars: $NONZERO)"
@ -84,19 +98,27 @@ jobs:
            echo "Flash image integrity verified"
          fi

+      - name: Stage release binaries with variant-specific names
+        working-directory: firmware/esp32-csi-node
+        run: |
+          mkdir -p release-staging
+          cp build/esp32-csi-node.bin                      release-staging/${{ matrix.artifact_app }}
+          cp build/partition_table/partition-table.bin     release-staging/${{ matrix.artifact_pt }}
+          if [ "${{ matrix.variant }}" = "8mb" ]; then
+            cp build/bootloader/bootloader.bin             release-staging/bootloader.bin
+            cp build/ota_data_initial.bin                  release-staging/ota_data_initial.bin
+          fi
+          ls -la release-staging/
+
      - name: Check QEMU ESP32-S3 support status
        run: |
          echo "::notice::ESP32-S3 QEMU support is experimental in ESP-IDF v5.4. "
          echo "Full smoke testing requires QEMU 8.2+ with xtensa-esp32s3 target."
          echo "See: https://github.com/espressif/qemu/wiki"

-      - name: Upload firmware artifact
+      - name: Upload firmware artifact (${{ matrix.variant }})
        uses: actions/upload-artifact@v4
        with:
-          name: esp32-csi-node-firmware
-          path: |
-            firmware/esp32-csi-node/build/esp32-csi-node.bin
-            firmware/esp32-csi-node/build/bootloader/bootloader.bin
-            firmware/esp32-csi-node/build/partition_table/partition-table.bin
-            firmware/esp32-csi-node/build/ota_data_initial.bin
+          name: esp32-csi-node-firmware-${{ matrix.variant }}
+          path: firmware/esp32-csi-node/release-staging/
          retention-days: 90
--- a/.github/workflows/nvsim-server-docker.yml
+++ b/.github/workflows/nvsim-server-docker.yml
@ -0,0 +1,69 @@
+name: nvsim-server → ghcr.io
+
+# Builds and publishes the nvsim-server Docker image to ghcr.io on:
+# - push to main affecting nvsim-server or nvsim
+# - tag push matching nvsim-server-v*
+# - manual workflow_dispatch
+#
+# ADR-092 §6.2 + §9.4.
+
+on:
+  push:
+    branches: [main]
+    paths:
+      - 'v2/crates/nvsim-server/**'
+      - 'v2/crates/nvsim/**'
+      - '.github/workflows/nvsim-server-docker.yml'
+    tags: ['nvsim-server-v*']
+  workflow_dispatch:
+
+permissions:
+  contents: read
+  packages: write
+
+jobs:
+  build-and-publish:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: docker/setup-buildx-action@v3
+
+      - uses: docker/login-action@v3
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Extract metadata
+        id: meta
+        uses: docker/metadata-action@v5
+        with:
+          images: ghcr.io/ruvnet/nvsim-server
+          tags: |
+            type=ref,event=branch
+            type=ref,event=tag
+            type=sha,format=short
+            type=raw,value=latest,enable={{is_default_branch}}
+
+      - name: Build + push
+        uses: docker/build-push-action@v5
+        with:
+          context: v2
+          file: v2/crates/nvsim-server/Dockerfile
+          push: true
+          tags: ${{ steps.meta.outputs.tags }}
+          labels: ${{ steps.meta.outputs.labels }}
+          cache-from: type=gha
+          cache-to: type=gha,mode=max
+          platforms: linux/amd64
+
+      - name: Smoke-test the image
+        run: |
+          docker pull ghcr.io/ruvnet/nvsim-server:sha-${GITHUB_SHA::7} || \
+            docker pull ghcr.io/ruvnet/nvsim-server:latest
+          docker run --rm -d --name nvsim-test -p 7878:7878 \
+            ghcr.io/ruvnet/nvsim-server:latest
+          sleep 4
+          curl -fsS http://localhost:7878/api/health
+          docker stop nvsim-test
--- a/.github/workflows/security-scan.yml
+++ b/.github/workflows/security-scan.yml
@ -377,6 +377,11 @@ jobs:
    runs-on: ubuntu-latest
    needs: [sast, dependency-scan, container-scan, iac-scan, secret-scan, license-scan, compliance-check]
    if: always()
+    # Promote secret to env-scope so the gating `if:` on the Slack-notify
+    # step below is parseable (GitHub Actions rejects `secrets.X` in
+    # step-level `if:` expressions).
+    env:
+      SECURITY_SLACK_WEBHOOK_URL: ${{ secrets.SECURITY_SLACK_WEBHOOK_URL }}
    steps:
    - name: Download all artifacts
      uses: actions/download-artifact@v4
@ -402,8 +407,11 @@ jobs:
        name: security-summary
        path: security-summary.md

+    # GitHub Actions does not allow `secrets.X` in step-level `if:` —
+    # use env.X instead. Inherits SECURITY_SLACK_WEBHOOK_URL from the
+    # job-level env block (added below).
    - name: Notify security team on critical findings
-      if: ${{ secrets.SECURITY_SLACK_WEBHOOK_URL != '' && (needs.sast.result == 'failure' || needs.dependency-scan.result == 'failure' || needs.container-scan.result == 'failure') }}
+      if: ${{ env.SECURITY_SLACK_WEBHOOK_URL != '' && (needs.sast.result == 'failure' || needs.dependency-scan.result == 'failure' || needs.container-scan.result == 'failure') }}
      uses: 8398a7/action-slack@v3
      with:
        status: failure
@ -415,7 +423,7 @@ jobs:
          Workflow: ${{ github.workflow }}
          Please review the security scan results immediately.
      env:
-        SLACK_WEBHOOK_URL: ${{ secrets.SECURITY_SLACK_WEBHOOK_URL }}
+        SLACK_WEBHOOK_URL: ${{ env.SECURITY_SLACK_WEBHOOK_URL }}

    - name: Create security issue on critical findings
      if: needs.sast.result == 'failure' || needs.dependency-scan.result == 'failure'
--- a/.github/workflows/verify-pipeline.yml
+++ b/.github/workflows/verify-pipeline.yml
@ -4,16 +4,16 @@ on:
  push:
    branches: [ main, master, 'claude/**' ]
    paths:
-      - 'v1/src/core/**'
-      - 'v1/src/hardware/**'
-      - 'v1/data/proof/**'
+      - 'archive/v1/src/core/**'
+      - 'archive/v1/src/hardware/**'
+      - 'archive/v1/data/proof/**'
      - '.github/workflows/verify-pipeline.yml'
  pull_request:
    branches: [ main, master ]
    paths:
-      - 'v1/src/core/**'
-      - 'v1/src/hardware/**'
-      - 'v1/data/proof/**'
+      - 'archive/v1/src/core/**'
+      - 'archive/v1/src/hardware/**'
+      - 'archive/v1/data/proof/**'
      - '.github/workflows/verify-pipeline.yml'
  workflow_dispatch:

@ -37,19 +37,19 @@ jobs:
      - name: Install pinned dependencies
        run: |
          python -m pip install --upgrade pip
-          pip install -r v1/requirements-lock.txt
+          pip install -r archive/v1/requirements-lock.txt

      - name: Verify reference signal is reproducible
        run: |
          echo "=== Regenerating reference signal ==="
-          python v1/data/proof/generate_reference_signal.py
+          python archive/v1/data/proof/generate_reference_signal.py
          echo ""
          echo "=== Checking data file matches committed version ==="
          # The regenerated file should be identical to the committed one
          # (We compare the metadata file since data file is large)
          python -c "
          import json, hashlib
-          with open('v1/data/proof/sample_csi_meta.json') as f:
+          with open('archive/v1/data/proof/sample_csi_meta.json') as f:
              meta = json.load(f)
          assert meta['is_synthetic'] == True, 'Metadata must mark signal as synthetic'
          assert meta['numpy_seed'] == 42, 'Seed must be 42'
@ -76,7 +76,7 @@ jobs:
          echo "=== Scanning for unseeded np.random usage in production code ==="
          # Search for np.random calls without a seed in production code
          # Exclude test files, proof data generators, and known parser placeholders
-          VIOLATIONS=$(grep -rn "np\.random\." v1/src/ \
+          VIOLATIONS=$(grep -rn "np\.random\." archive/v1/src/ \
            --include="*.py" \
            --exclude-dir="__pycache__" \
            | grep -v "np\.random\.RandomState" \
--- a/.gitignore
+++ b/.gitignore
@ -23,6 +23,14 @@ rust-port/wifi-densepose-rs/data/recordings/
 nvs.bin
 nvs_config.csv
 nvs_provision.bin
+firmware/esp32-csi-node/nvs_seed.csv
+firmware/esp32-csi-node/nvs_seed.bin
+firmware/esp32-csi-node/nvs_config.bin
+firmware/esp32-csi-node/nvs_wifi.bin
+firmware/esp32-csi-node/nvs.bin
+# Catch any other NVS binaries/CSVs with credentials
+**/nvs_*.bin
+**/nvs_*.csv

 # Working artifacts that should not land in root
 /*.wasm
@ -240,4 +248,7 @@ v1/src/sensing/mac_wifi
 **/node_modules/

 # Local build scripts
-firmware/esp32-csi-node/build_firmware.bat
+firmware/esp32-csi-node/build_firmware.batdata/
+models/
+demo_pointcloud.ply
+demo_splats.json
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -5,6 +5,306 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).

+## [Unreleased]
+
+### Added
+- **`nvsim` crate — deterministic NV-diamond magnetometer pipeline simulator** (ADR-089) —
+  New standalone leaf crate at `v2/crates/nvsim` modeling a forward-only
+  magnetic sensing path: scene → source synthesis (Biot–Savart, dipole,
+  current loop, ferrous induced moment) → material attenuation
+  (Air/Drywall/Brick/Concrete/Reinforced/SteelSheet) → NV ensemble
+  (4 〈111〉 axes, ODMR linear-readout proxy, shot-noise floor per
+  Wolf 2015 / Barry 2020) → 16-bit ADC + lock-in demodulation →
+  fixed-layout `MagFrame` records → SHA-256 witness. Six-pass build
+  per `docs/research/quantum-sensing/15-nvsim-implementation-plan.md`.
+  50 tests, ~4.5 M samples/s on x86_64 (4500× the Cortex-A53 1 kHz
+  acceptance gate), pinned reference witness
+  `cc8de9b01b0ff5bd97a6c17848a3f156c174ea7589d0888164a441584ec593b4`
+  for byte-equivalence regression. WASM-ready by construction
+  (zero `std::time/fs/env/process/thread`); builds cleanly for
+  `wasm32-unknown-unknown`. ADR-090 (Proposed, conditional) tracks the
+  optional Lindblad/Hamiltonian extension if AC magnetometry, MW power
+  saturation, hyperfine spectroscopy, or pulsed protocols become required.
+
+### Fixed
+- **Ghost skeletons in live UI with multi-node ESP32 setups** (#420, ADR-082) —
+  `tracker_bridge::tracker_to_person_detections` documented itself as filtering
+  to `is_alive()` tracks but in fact passed every non-Terminated track to the
+  WebSocket stream. `Lost` tracks — kept inside `reid_window` for
+  re-identification but not currently observed — were rendering as phantom
+  skeletons, accumulating to 22-24 with 3 nodes × 10 Hz CSI while
+  `estimated_persons` correctly reported 1. Added
+  `PoseTracker::confirmed_tracks()` (Tentative + Active only) and rewired the
+  bridge to use it. Lost tracks remain in the tracker for re-ID; they just
+  no longer ship to the UI. Regression test:
+  `test_lost_tracks_excluded_from_bridge_output`.
+- **Rust workspace build with `--no-default-features` on Windows** (#366, #415) —
+  `wifi-densepose-mat`, `wifi-densepose-sensing-server`, and `wifi-densepose-train`
+  all depended on `wifi-densepose-signal` with default features enabled, which
+  pulled `ndarray-linalg` → `openblas-src` → vcpkg/system-BLAS through the entire
+  workspace. `--no-default-features` at the workspace root then could not opt out
+  of BLAS, breaking `cargo build` / `cargo test` on Windows without vcpkg. All
+  three consumers now declare `wifi-densepose-signal = { ..., default-features = false }`,
+  so `cargo test --workspace --no-default-features` builds cleanly without
+  vcpkg/openblas. Validated: 1,538 tests pass, 0 fail, 8 ignored.
+- **`signal` test `test_estimate_occupancy_noise_only` failed without `eigenvalue`** —
+  The test unwrapped the `NotCalibrated` stub returned when the BLAS-backed
+  `estimate_occupancy` is compiled out. Gated with `#[cfg(feature = "eigenvalue")]`
+  so it only runs when the real implementation is available.
+
+## [v0.6.2-esp32] — 2026-04-20
+
+Firmware release cutting ADR-081 and the Timer Svc stack fix discovered during
+on-hardware validation. Cut from `main` at commit pointing to this entry.
+Tested on ESP32-S3 (QFN56 rev v0.2, MAC `3c:0f:02:e9:b5:f8`), 30 s continuous
+run: no crashes, 149 `rv_feature_state_t` emissions (~5 Hz), medium/slow ticks
+firing cleanly, HEALTH mesh packets sent.
+
+### Fixed
+- **Firmware: Timer Svc stack overflow on ADR-081 fast loop** — `emit_feature_state()` runs inside the FreeRTOS Timer Svc task via the fast-loop callback; it calls `stream_sender` network I/O which pushes past the ESP-IDF 2 KiB default timer stack and panics ~1 s after boot. Bumped `CONFIG_FREERTOS_TIMER_TASK_STACK_DEPTH` to 8 KiB in `sdkconfig.defaults`, `sdkconfig.defaults.template`, and `sdkconfig.defaults.4mb`. Follow-up (tracked separately): move heavy work out of the timer daemon into a dedicated worker task.
+- **Firmware: `adaptive_controller.c` implicit declaration** (#404) — `fast_loop_cb` called `emit_feature_state()` before its static definition, triggering `-Werror=implicit-function-declaration`. Added a forward declaration above the first use.
+
+### Changed
+- **CI: firmware build matrix (8MB + 4MB)** — `firmware-ci.yml` now matrix-builds both the default 8MB (`sdkconfig.defaults`) and 4MB SuperMini (`sdkconfig.defaults.4mb`) variants, uploading distinct artifacts and producing variant-named release binaries (`esp32-csi-node.bin` / `esp32-csi-node-4mb.bin`, `partition-table.bin` / `partition-table-4mb.bin`).
+
+### Added
+- **ADR-081: Adaptive CSI Mesh Firmware Kernel** — New 5-layer architecture
+  (Radio Abstraction Layer / Adaptive Controller / Mesh Sensing Plane /
+  On-device Feature Extraction / Rust handoff) that reframes the existing
+  ESP32 firmware modules as components of a chipset-agnostic kernel. ADR
+  in `docs/adr/ADR-081-adaptive-csi-mesh-firmware-kernel.md`. Goal: swap
+  one radio family for another without changing the Rust signal /
+  ruvector / train / mat crates.
+- **Firmware: radio abstraction vtable (`rv_radio_ops_t`)** — New
+  `firmware/esp32-csi-node/main/rv_radio_ops.{h}` defines the
+  chipset-agnostic ops (init, set_channel, set_mode, set_csi_enabled,
+  set_capture_profile, get_health), profile enum
+  (`RV_PROFILE_PASSIVE_LOW_RATE` / `ACTIVE_PROBE` / `RESP_HIGH_SENS` /
+  `FAST_MOTION` / `CALIBRATION`), and health snapshot struct.
+  `rv_radio_ops_esp32.c` provides the ESP32 binding wrapping
+  `csi_collector` + `esp_wifi_*`. A second binding (mock or alternate
+  chipset) is the portability acceptance test for ADR-081.
+- **Firmware: `rv_feature_state_t` packet (magic `0xC5110006`)** — New
+  60-byte compact per-node sensing state (packed, verified by
+  `_Static_assert`) in `firmware/esp32-csi-node/main/rv_feature_state.h`:
+  motion, presence, respiration BPM/conf, heartbeat BPM/conf, anomaly
+  score, env-shift score, node coherence, quality flags, IEEE CRC32.
+  Replaces raw ADR-018 CSI as the default upstream stream (~99.7%
+  bandwidth reduction: 300 B/s at 5 Hz vs. ~100 KB/s raw).
+- **Firmware: mock radio ops binding for QEMU** — New
+  `firmware/esp32-csi-node/main/rv_radio_ops_mock.c`, compiled only when
+  `CONFIG_CSI_MOCK_ENABLED`. Satisfies ADR-081's portability acceptance
+  test: a second `rv_radio_ops_t` binding compiles and runs against the
+  same controller + mesh-plane code as the ESP32 binding.
+- **Firmware: feature-state emitter wired into controller fast loop** —
+  `adaptive_controller.c` now emits one 60-byte `rv_feature_state_t` per
+  fast tick (default 200 ms → 5 Hz), pulling from the latest edge vitals
+  and controller observation. This is the first end-to-end Layer 4/5
+  path for ADR-081.
+- **Firmware: `csi_collector_get_pkt_yield_per_sec()` /
+  `_get_send_fail_count()` accessors** — Expose the CSI callback rate
+  and UDP send-failure counter so the ESP32 radio ops binding can
+  populate `rv_radio_health_t.pkt_yield_per_sec` and `.send_fail_count`,
+  closing the adaptive controller's observation loop.
+- **Firmware: host-side unit test suite for ADR-081 pure logic** — New
+  `firmware/esp32-csi-node/tests/host/` (Makefile + 2 test files + shim
+  `esp_err.h`). Exercises `adaptive_controller_decide()` (9 test cases:
+  degraded gate on pkt-yield collapse + coherence loss, anomaly > motion,
+  motion → SENSE_ACTIVE, aggressive cadence, stable presence →
+  RESP_HIGH_SENS, empty-room default, hysteresis, NULL safety) and
+  `rv_feature_state_*` helpers (size assertion, IEEE CRC32 known
+  vectors, determinism, receiver-side verification). 33/33 assertions
+  pass. Benchmarks: decide() 3.2 ns/call, CRC32(56 B) 614 ns/pkt
+  (87 MB/s), full finalize() 616 ns/call. Pure function
+  `adaptive_controller_decide()` extracted to
+  `adaptive_controller_decide.c` so the firmware build and the host
+  tests share a single source-of-truth implementation.
+- **Scripts: `validate_qemu_output.py` ADR-081 checks** — Validator
+  (invoked by ADR-061 `scripts/qemu-esp32s3-test.sh` in CI) gains three
+  checks for adaptive controller boot line, mock radio ops
+  registration, and slow-loop heartbeat, so QEMU runs regression-gate
+  Layer 1/2 presence.
+- **Firmware: ADR-081 Layer 3 mesh sensing plane** — New
+  `firmware/esp32-csi-node/main/rv_mesh.{h,c}` defines 4 node roles
+  (Anchor / Observer / Fusion relay / Coordinator), 7 on-wire message
+  types (TIME_SYNC, ROLE_ASSIGN, CHANNEL_PLAN, CALIBRATION_START,
+  FEATURE_DELTA, HEALTH, ANOMALY_ALERT), 3 authorization classes
+  (None / HMAC-SHA256-session / Ed25519-batch), `rv_node_status_t`
+  (28 B), `rv_anomaly_alert_t` (28 B), `rv_time_sync_t`,
+  `rv_role_assign_t`, `rv_channel_plan_t`, `rv_calibration_start_t`.
+  Pure-C encoder/decoder (`rv_mesh_encode()` / `rv_mesh_decode()`) with
+  16-byte envelope + payload + IEEE CRC32 trailer; convenience encoders
+  for each message type. Controller now emits `HEALTH` every slow-loop
+  tick (30 s default) and `ANOMALY_ALERT` on state transitions to ALERT
+  or DEGRADED. Host tests: `test_rv_mesh` exercises 27 assertions
+  covering roundtrip, bad magic, truncation, CRC flipping, oversize
+  payload rejection, and encode+decode throughput (1.0 μs/roundtrip
+  on host).
+- **Rust: ADR-081 Layer 1/3 mirror module** — New
+  `crates/wifi-densepose-hardware/src/radio_ops.rs` mirrors the
+  firmware-side `rv_radio_ops_t` vtable as the Rust `RadioOps` trait
+  (init, set_channel, set_mode, set_csi_enabled, set_capture_profile,
+  get_health) and provides `MockRadio` for offline testing.
+  Also mirrors the `rv_mesh.h` types (`MeshHeader`, `NodeStatus`,
+  `AnomalyAlert`, `MeshRole`, `MeshMsgType`, `AuthClass`) and ships
+  byte-identical `crc32_ieee()`, `decode_mesh()`, `decode_node_status()`,
+  `decode_anomaly_alert()`, and `encode_health()`. Exported from
+  `lib.rs`. 8 unit tests pass; `crc32_matches_firmware_vectors`
+  verifies parity with the firmware-side test vectors
+  (`0xCBF43926` for `"123456789"`, `0xD202EF8D` for single-byte zero),
+  and `mesh_constants_match_firmware` asserts `MESH_MAGIC`,
+  `MESH_VERSION`, `MESH_HEADER_SIZE`, and `MESH_MAX_PAYLOAD` match
+  `rv_mesh.h` byte-for-byte. Satisfies ADR-081's portability
+  acceptance test: signal/ruvector/train/mat crates are untouched.
+- **Firmware: adaptive controller** — New
+  `firmware/esp32-csi-node/main/adaptive_controller.{c,h}` implements
+  the three-loop closed-loop control specified by ADR-081: fast
+  (~200 ms) for cadence and active probing, medium (~1 s) for channel
+  selection and role transitions, slow (~30 s) for baseline
+  recalibration. Pure `adaptive_controller_decide()` policy function is
+  exposed in the header for offline unit testing. Default policy is
+  conservative (`enable_channel_switch` and `enable_role_change` off);
+  Kconfig surface added under "Adaptive Controller (ADR-081)".
+
+### Fixed
+- **`provision.py` esptool v5 compat** (#391) — Stale `write_flash` (underscore) syntax in the dry-run manual-flash hint now uses `write-flash` (hyphenated) for esptool >= 5.x. The primary flash command was already correct.
+- **`provision.py` silent NVS wipe** (#391) — The script replaces the entire `csi_cfg` NVS namespace on every run, so partial invocations were silently erasing WiFi credentials and causing `Retrying WiFi connection (10/10)` in the field. Now refuses to run without `--ssid`, `--password`, and `--target-ip` unless `--force-partial` is passed. `--force-partial` prints a warning listing which keys will be wiped.
+- **Firmware: defensive `node_id` capture** (#232, #375, #385, #386, #390) — Users on multi-node deployments reported `node_id` reverting to the Kconfig default (`1`) in UDP frames and in the `csi_collector` init log, despite NVS loading the correct value. The root cause (memory corruption of `g_nvs_config`) has not been definitively isolated, but the UDP frame header is now tamper-proof: `csi_collector_init()` captures `g_nvs_config.node_id` into a module-local `s_node_id` once, and `csi_serialize_frame()` plus all other consumers (`edge_processing.c`, `wasm_runtime.c`, `display_ui.c`, `swarm_bridge_init`) read it via the new `csi_collector_get_node_id()` accessor. A canary logs `WARN` if `g_nvs_config.node_id` diverges from `s_node_id` at end-of-init, helping isolate the upstream corruption path. Validated on attached ESP32-S3 (COM8): NVS `node_id=2` propagates through boot log, capture log, init log, and byte[4] of every UDP frame.
+
+### Docs
+- **CHANGELOG catch-up** (#367) — Added missing entries for v0.5.5, v0.6.0, and v0.7.0 releases.
+
+## [v0.7.0] — 2026-04-06
+
+Model release (no new firmware binary). Firmware remains at v0.6.0-esp32.
+
+### Added
+- **Camera ground-truth training pipeline (ADR-079)** — End-to-end supervised WiFlow pose training using MediaPipe + real ESP32 CSI.
+  - `scripts/collect-ground-truth.py` — MediaPipe PoseLandmarker webcam capture (17 COCO keypoints, 30fps), synchronized with CSI recording over nanosecond timestamps.
+  - `scripts/align-ground-truth.js` — Time-aligns camera keypoints with 20-frame CSI windows by binary search, confidence-weighted averaging.
+  - `scripts/train-wiflow-supervised.js` — 3-phase curriculum training (contrastive → supervised SmoothL1 → bone/temporal refinement) with 4 scale presets (lite/small/medium/full).
+  - `scripts/eval-wiflow.js` — PCK@10/20/50, MPJPE, per-joint breakdown, baseline proxy mode.
+  - `scripts/record-csi-udp.py` — Lightweight ESP32 CSI UDP recorder (no Rust build required).
+- **ruvector optimizations (O6-O10)** — Subcarrier selection (70→35, 50% reduction), attention-weighted subcarriers, Stoer-Wagner min-cut person separation, multi-SPSA gradient estimation, Mac M4 Pro training via Tailscale.
+- **Scalable WiFlow presets** — `lite` (189K params, ~19 min) through `full` (7.7M params, ~8 hrs) to match dataset size.
+- **Pre-trained WiFlow v1 model** — 92.9% PCK@20, 974 KB, 186,946 params. Published to [HuggingFace](https://huggingface.co/ruv/ruview) under `wiflow-v1/`.
+
+### Validated
+- **92.9% PCK@20** pose accuracy from a 5-minute data collection session with one $9 ESP32-S3 and one laptop webcam.
+- Training pipeline validated on real paired data: 345 samples, 19 min training, eval loss 0.082, bone constraint 0.008.
+
+## [v0.6.0-esp32] — 2026-04-03
+
+### Added
+- **Pre-trained CSI sensing weights published** — First official pre-trained models on [HuggingFace](https://huggingface.co/ruv/ruview). `model.safetensors` (48 KB), `model-q4.bin` (8 KB 4-bit), `model-q2.bin` (4 KB), `presence-head.json`, per-node LoRA adapters.
+- **17 sensing applications** — Sleep monitor, apnea detector, stress monitor, gait analyzer, RF tomography, passive radar, material classifier, through-wall detector, device fingerprint, and more. Each as a standalone `scripts/*.js`.
+- **ADRs 069-078** — 10 new architecture decisions covering Cognitum Seed integration, self-supervised pretraining, ruvllm pipeline, WiFlow architecture, channel hopping, SNN, MinCut person separation, CNN spectrograms, novel RF applications, multi-frequency mesh.
+- **Kalman tracker** (PR #341 by @taylorjdawson) — temporal smoothing of pose keypoints.
+
+### Fixed
+- Security fix merged via PR #310.
+
+### Performance
+- Presence detection: 100% accuracy on 60,630 overnight samples.
+- Inference: 0.008 ms per sample, 164K embeddings/sec.
+- Contrastive self-supervised training: 51.6% improvement over baseline.
+
+## [v0.5.5-esp32] — 2026-04-03
+
+### Added
+- **WiFlow SOTA architecture (ADR-072)** — TCN + axial attention pose decoder, 1.8M params, 881 KB at 4-bit. 17 COCO keypoints from CSI amplitude only (no phase).
+- **Multi-frequency mesh scanning (ADR-073)** — ESP32 nodes hop across channels 1/3/5/6/9/11 at 200ms dwell. Neighbor WiFi networks used as passive radar illuminators. Null subcarriers reduced from 19% to 16%.
+- **Spiking neural network (ADR-074)** — STDP online learning, adapts to new rooms in <30s with no labels, 16-160x less compute than batch training.
+- **MinCut person counting (ADR-075)** — Stoer-Wagner min-cut on subcarrier correlation graph. Fixes #348 (was always reporting 4 people).
+- **CNN spectrogram embeddings (ADR-076)** — Treat 64×20 CSI as an image, produce 128-dim environment fingerprints (0.95+ same-room similarity).
+- **Graph transformer fusion** — Multi-node CSI fusion via GATv2 attention (replaces naive averaging).
+- **Camera-free pose training pipeline** — Trains 17-keypoint model from 10 sensor signals with no camera required.
+
+### Fixed
+- **#348 person counting** — MinCut correctly counts 1-4 people (24/24 validation windows).
+
+## [v0.5.4-esp32] — 2026-04-02
+
+### Added
+- **ADR-069: ESP32 CSI → Cognitum Seed RVF ingest pipeline** — Live-validated pipeline connecting ESP32-S3 CSI sensing to Cognitum Seed (Pi Zero 2 W) edge intelligence appliance. 339 vectors ingested, 100% kNN validation, SHA-256 witness chain verified.
+- **Feature vector packet (magic 0xC5110003)** — New 48-byte packet with 8 normalized dimensions (presence, motion, breathing, heart rate, phase variance, person count, fall, RSSI) sent at 1 Hz alongside vitals.
+- **`scripts/seed_csi_bridge.py`** — Python bridge: UDP listener → HTTPS ingest with bearer token auth, `--validate` (kNN + PIR ground truth), `--stats`, `--compact` modes, hash-based vector IDs, NaN/inf rejection, source IP filtering, retry logic.
+- **Arena Physica research** — 26 research documents in `docs/research/` covering Maxwell's equations in WiFi sensing, Arena Physica Studio analysis, SOTA WiFi sensing 2025-2026, GOAP implementation plan for ESP32 + Pi Zero.
+- **Cognitum Seed MCP integration** — 114-tool MCP proxy enables AI assistants to query sensing state, vectors, witness chain, and device status directly.
+
+### Fixed
+- **Compressed frame magic collision** — Reassigned compressed frame magic from `0xC5110003` to `0xC5110005` to free `0xC5110003` for feature vectors.
+- **Uninitialized `s_top_k[0]` read** — Guarded variance computation against `s_top_k_count == 0` in `send_feature_vector()`.
+- **Presence score normalization** — Bridge now divides by 15.0 instead of clamping, preserving dynamic range for raw values 1.41-14.92.
+- **Stale magic references** — Updated ADR-039, DDD model to reflect `0xC5110005` for compressed frames.
+
+### Security
+- **Credential exposure remediation** — Removed hardcoded WiFi passwords and bearer tokens from source files. Added NVS binary/CSV patterns to `.gitignore`. Environment variable fallback for bearer token.
+- **NaN/Inf injection prevention** — Bridge validates all feature dimensions are finite before Seed ingest.
+- **UDP source filtering** — `--allowed-sources` argument restricts packet acceptance to known ESP32 IPs.
+
+### Changed
+- Wire format table now includes 6 magic numbers: `0xC5110001` (raw), `0xC5110002` (vitals), `0xC5110003` (features), `0xC5110004` (WASM events), `0xC5110005` (compressed), `0xC5110006` (fused vitals).
+
+## [v0.5.3-esp32] — 2026-03-30
+
+### Added
+- **Cross-node RSSI-weighted feature fusion** — Multiple ESP32 nodes fuse CSI features using RSSI-based weighting. Closer node gets higher weight. Reduces variance noise by 29%, keypoint jitter by 72%.
+- **DynamicMinCut person separation** — Uses `ruvector_mincut::DynamicMinCut` on the subcarrier temporal correlation graph to detect independent motion clusters. Replaces variance-based heuristic for multi-person counting.
+- **RSSI-based position tracking** — Skeleton position driven by RSSI differential between nodes. Walk between ESP32s and the skeleton follows you.
+- **Per-node state pipeline (ADR-068)** — Each ESP32 node gets independent `HashMap<u8, NodeState>` with frame history, classification, vitals, and person count. Fixes #249 (the #1 user-reported issue).
+- **RuVector Phase 1-3 integration** — Subcarrier importance weighting, temporal keypoint smoothing (EMA), coherence gating, skeleton kinematic constraints (Jakobsen relaxation), compressed pose history.
+- **Client-side lerp smoothing** — UI keypoints interpolate between frames (alpha=0.15) for fluid skeleton movement.
+- **Multi-node mesh tests** — 8 integration tests covering 1-255 node configurations.
+- **`wifi_densepose` Python package** — `from wifi_densepose import WiFiDensePose` now works (#314).
+
+### Fixed
+- **Watchdog crash on busy LANs (#321)** — Batch-limited edge_dsp to 4 frames before 20ms yield. Fixed idle-path busy-spin (`pdMS_TO_TICKS(5)==0`).
+- **No detection from edge vitals (#323)** — Server now generates `sensing_update` from Tier 2+ vitals packets.
+- **RSSI byte offset mismatch (#332)** — Server parsed RSSI from wrong byte (was reading sequence counter).
+- **Stack overflow risk** — Moved 4KB of BPM scratch buffers from stack to static storage.
+- **Stale node memory leak** — `node_states` HashMap evicts nodes inactive >60s.
+- **Unsafe raw pointer removed** — Replaced with safe `.clone()` for adaptive model borrow.
+- **Firmware CI** — Upgraded to IDF v5.4, replaced `xxd` with `od` (#327).
+- **Person count double-counting** — Multi-node aggregation changed from `sum` to `max`.
+- **Skeleton jitter** — Removed tick-based noise, dampened procedural animation, recalibrated feature scaling for real ESP32 data.
+
+### Changed
+- Motion-responsive skeleton: arm swing (0-80px) driven by CSI variance, leg kick (0-50px) by motion_band_power, vertical bob when walking.
+- Person count thresholds recalibrated for real ESP32 hardware (1→2 at 0.70, EMA alpha 0.04).
+- Vital sign filtering: larger median window (31), faster EMA (0.05), looser HR jump filter (15 BPM).
+- Vendored ruvector updated to v2.1.0-40 (316 commits ahead).
+
+### Benchmarks (2-node mesh, COM6 + COM9, 30s)
+| Metric | Baseline | v0.5.3 | Improvement |
+|--------|----------|--------|-------------|
+| Variance noise | 109.4 | 77.6 | **-29%** |
+| Feature stability | std=154.1 | std=105.4 | **-32%** |
+| Keypoint jitter | std=4.5px | std=1.3px | **-72%** |
+| Confidence | 0.643 | 0.686 | **+7%** |
+| Presence accuracy | 93.4% | 94.6% | **+1.3pp** |
+
+### Verified
+- Real hardware: COM6 (node 1) + COM9 (node 2) on ruv.net WiFi
+- All 284 Rust tests pass, 352 signal crate tests pass
+- Firmware builds clean at 843 KB
+- QEMU CI: 11/11 jobs green
+
+## [v0.5.2-esp32] — 2026-03-28
+
+### Fixed
+- RSSI byte offset in frame parser (#332)
+- Per-node state pipeline for multi-node sensing (#249)
+- Firmware CI upgraded to IDF v5.4 (#327)
+
+## [v0.5.1-esp32] — 2026-03-27
+
+### Fixed
+- Watchdog crash on busy LANs (#321)
+- No detection from edge vitals (#323)
+- `wifi_densepose` Python package import (#314)
+- Pre-compiled firmware binaries added to release
+
 ## [v0.5.0-esp32] — 2026-03-15

 ### Added
@ -239,7 +539,7 @@ Major release: complete Rust sensing server, full DensePose training pipeline, R
 - `PresenceClassifier` — rule-based 3-state classification (ABSENT / PRESENT_STILL / ACTIVE)
 - Cross-receiver agreement scoring for multi-AP confidence boosting
 - WebSocket sensing server (`ws_server.py`) broadcasting JSON at 2 Hz
- Deterministic CSI proof bundles for reproducible verification (`v1/data/proof/`)
+- Deterministic CSI proof bundles for reproducible verification (`archive/v1/data/proof/`)
 - Commodity sensing unit tests (`b391638`)

 ### Changed
@ -247,7 +547,7 @@ Major release: complete Rust sensing server, full DensePose training pipeline, R

 ### Fixed
 - Review fixes for end-to-end training pipeline (`45f0304`)
- Dockerfile paths updated from `src/` to `v1/src/` (`7872987`)
+- Dockerfile paths updated from `src/` to `archive/v1/src/` (`7872987`)
 - IoT profile installer instructions updated for aggregator CLI (`f460097`)
 - `process.env` reference removed from browser ES module (`e320bc9`)

--- a/CLAUDE.md
+++ b/CLAUDE.md
@ -3,7 +3,7 @@
 ## Project: wifi-densepose

 WiFi-based human pose estimation using Channel State Information (CSI).
-Dual codebase: Python v1 (`v1/`) and Rust port (`rust-port/wifi-densepose-rs/`).
+Dual codebase: Python v1 (`v1/`) and Rust port (`v2/`).
 ### Key Rust Crates
 | Crate | Description |
 |-------|-------------|
@ -22,6 +22,7 @@ Dual codebase: Python v1 (`v1/`) and Rust port (`rust-port/wifi-densepose-rs/`).
 | `wifi-densepose-sensing-server` | Lightweight Axum server for WiFi sensing UI |
 | `wifi-densepose-wifiscan` | Multi-BSSID WiFi scanning (ADR-022) |
 | `wifi-densepose-vitals` | ESP32 CSI-grade vital sign extraction (ADR-021) |
+| `nvsim` | Deterministic NV-diamond magnetometer pipeline simulator (ADR-089) — standalone leaf, WASM-ready |

 ### RuvSense Modules (`signal/src/ruvsense/`)
 | Module | Purpose |
@ -84,17 +85,17 @@ All 5 ruvector crates integrated in workspace:
 ### Build & Test Commands (this repo)
 ```bash
 # Rust — full workspace tests (1,031+ tests, ~2 min)
-cd rust-port/wifi-densepose-rs
+cd v2
 cargo test --workspace --no-default-features

 # Rust — single crate check (no GPU needed)
 cargo check -p wifi-densepose-train --no-default-features

 # Python — deterministic proof verification (SHA-256)
-python v1/data/proof/verify.py
+python archive/v1/data/proof/verify.py

 # Python — test suite
-cd v1 && python -m pytest tests/ -x -q
+cd archive/v1 && python -m pytest tests/ -x -q
 ```

 ### ESP32 Firmware Build (Windows — Python subprocess required)
@ -151,12 +152,12 @@ Crates must be published in dependency order:

 ```bash
 # 1. Rust tests — must be 1,031+ passed, 0 failed
-cd rust-port/wifi-densepose-rs
+cd v2
 cargo test --workspace --no-default-features

 # 2. Python proof — must print VERDICT: PASS
-cd ../..
-python v1/data/proof/verify.py
+cd ..
+python archive/v1/data/proof/verify.py

 # 3. Generate witness bundle (includes both above + firmware hashes)
 bash scripts/generate-witness-bundle.sh
@ -169,8 +170,8 @@ bash VERIFY.sh
 **If the Python proof hash changes** (e.g., numpy/scipy version update):
 ```bash
 # Regenerate the expected hash, then verify it passes
-python v1/data/proof/verify.py --generate-hash
-python v1/data/proof/verify.py
+python archive/v1/data/proof/verify.py --generate-hash
+python archive/v1/data/proof/verify.py
 ```

 **Witness bundle contents** (`dist/witness-bundle-ADR028-<sha>.tar.gz`):
@ -183,9 +184,9 @@ python v1/data/proof/verify.py
 - `VERIFY.sh` — One-command self-verification for recipients

 **Key proof artifacts:**
- `v1/data/proof/verify.py` — Trust Kill Switch: feeds reference signal through production pipeline, hashes output
- `v1/data/proof/expected_features.sha256` — Published expected hash
- `v1/data/proof/sample_csi_data.json` — 1,000 synthetic CSI frames (seed=42)
+- `archive/v1/data/proof/verify.py` — Trust Kill Switch: feeds reference signal through production pipeline, hashes output
+- `archive/v1/data/proof/expected_features.sha256` — Published expected hash
+- `archive/v1/data/proof/sample_csi_data.json` — 1,000 synthetic CSI frames (seed=42)
 - `docs/WITNESS-LOG-028.md` — 11-step reproducible verification procedure
 - `docs/adr/ADR-028-esp32-capability-audit.md` — Complete audit record

@ -211,13 +212,13 @@ Active feature branch: `ruvsense-full-implementation` (PR #77)
 - NEVER save to root folder — use the directories below
 - `docs/adr/` — Architecture Decision Records (43 ADRs)
 - `docs/ddd/` — Domain-Driven Design models
- `rust-port/wifi-densepose-rs/crates/` — Rust workspace crates (15 crates)
- `rust-port/wifi-densepose-rs/crates/wifi-densepose-signal/src/ruvsense/` — RuvSense multistatic modules (14 files)
- `rust-port/wifi-densepose-rs/crates/wifi-densepose-ruvector/src/viewpoint/` — Cross-viewpoint fusion (5 files)
- `rust-port/wifi-densepose-rs/crates/wifi-densepose-hardware/src/esp32/` — ESP32 TDM protocol
+- `v2/crates/` — Rust workspace crates (15 crates)
+- `v2/crates/wifi-densepose-signal/src/ruvsense/` — RuvSense multistatic modules (14 files)
+- `v2/crates/wifi-densepose-ruvector/src/viewpoint/` — Cross-viewpoint fusion (5 files)
+- `v2/crates/wifi-densepose-hardware/src/esp32/` — ESP32 TDM protocol
 - `firmware/esp32-csi-node/main/` — ESP32 C firmware (channel hopping, NVS config, TDM)
- `v1/src/` — Python source (core, hardware, services, api)
- `v1/data/proof/` — Deterministic CSI proof bundles
+- `archive/v1/src/` — Python source (core, hardware, services, api)
+- `archive/v1/data/proof/` — Deterministic CSI proof bundles
 - `.claude-flow/` — Claude Flow coordination state (committed for team sharing)
 - `.claude/` — Claude Code settings, agents, memory (committed for team sharing)

@ -243,7 +244,7 @@ Active feature branch: `ruvsense-full-implementation` (PR #77)
 Before merging any PR, verify each item applies and is addressed:

 1. **Rust tests pass** — `cargo test --workspace --no-default-features` (1,031+ passed, 0 failed)
-2. **Python proof passes** — `python v1/data/proof/verify.py` (VERDICT: PASS)
+2. **Python proof passes** — `python archive/v1/data/proof/verify.py` (VERDICT: PASS)
 3. **README.md** — Update platform tables, crate descriptions, hardware tables, feature summaries if scope changed
 4. **CLAUDE.md** — Update crate table, ADR list, module tables, version if scope changed
 5. **CHANGELOG.md** — Add entry under `[Unreleased]` with what was added/fixed/changed
--- a/README.md
+++ b/README.md
@ -6,34 +6,33 @@
  </a>
 </p>

-> **Alpha Software** — This project is under active development. APIs, firmware behavior, and documentation may change. Known limitations:
-> - Multi-node person counting may show identical output regardless of the number of people (#249)
-> - Training pipeline on MM-Fi dataset may plateau at low PCK (#318) — hyperparameter tuning in progress
-> - No pre-trained model weights are provided; training from scratch is required
+> **Beta Software** — Under active development. APIs and firmware may change. Known limitations:
 > - ESP32-C3 and original ESP32 are not supported (single-core, insufficient for CSI DSP)
-> - Single ESP32 deployments have limited spatial resolution
+> - Single ESP32 deployments have limited spatial resolution — use 2+ nodes or add a [Cognitum Seed](https://cognitum.one) for best results
+> - Camera-free pose accuracy is limited — use [camera ground-truth training](docs/adr/ADR-079-camera-ground-truth-training.md) for 92.9% PCK@20
 >
 > Contributions and bug reports welcome at [Issues](https://github.com/ruvnet/RuView/issues).

-## **See through walls with WiFi + Ai** ##
+## **See through walls with WiFi** ##

-**Perceive the world through signals.** No cameras. No wearables. No Internet. Just physics.
+**Turn ordinary WiFi into a sensing system.** Detect people, measure breathing and heart rate, track movement, and monitor rooms — through walls, in the dark, with no cameras or wearables. Just physics.

-### π RuView is an edge AI perception system that learns directly from the environment around it.
+### π RuView is a WiFi sensing platform that turns radio signals into spatial intelligence.

-Instead of relying on cameras or cloud models, it observes whatever signals exist in a space such as WiFi, radio waves across the spectrum, motion patterns, vibration, sound, or other sensory inputs and builds an understanding of what is happening locally.
+Every WiFi router already fills your space with radio waves. When people move, breathe, or even sit still, they disturb those waves in measurable ways. RuView captures these disturbances using Channel State Information (CSI) from low-cost ESP32 sensors and turns them into actionable data: who's there, what they're doing, and whether they're okay.

-Built on top of [RuVector](https://github.com/ruvnet/ruvector/) Self Learning Vector Memory system and [Cognitum.One](https://Cognitum.One) , the project became widely known for its implementation of WiFi DensePose — a sensing technique first explored in academic research such as Carnegie Mellon University's *DensePose From WiFi* work. That research demonstrated that WiFi signals can be used to reconstruct human pose.
+**What it senses:**
+- **Presence and occupancy** — detect people through walls, count them, track entries and exits
+- **Vital signs** — breathing rate and heart rate, contactless, while sleeping or sitting
+- **Activity recognition** — walking, sitting, gestures, falls — from temporal CSI patterns
+- **Environment mapping** — RF fingerprinting identifies rooms, detects moved furniture, spots new objects
+- **Sleep quality** — overnight monitoring with sleep stage classification and apnea screening

-RuView extends that concept into a practical edge system. By analyzing Channel State Information (CSI) disturbances caused by human movement, RuView reconstructs body position, breathing rate, heart rate, and presence in real time using physics-based signal processing and machine learning.
+Built on [RuVector](https://github.com/ruvnet/ruvector/) and [Cognitum Seed](https://cognitum.one), RuView runs entirely on edge hardware — an ESP32 mesh (as low as $9 per node) paired with a Cognitum Seed for persistent memory, cryptographic attestation, and AI integration. No cloud, no cameras, no internet required.

-Unlike research systems that rely on synchronized cameras for training, RuView is designed to operate entirely from radio signals and self-learned embeddings at the edge.
+The system learns each environment locally using spiking neural networks that adapt in under 30 seconds, with multi-frequency mesh scanning across 6 WiFi channels that uses your neighbors' routers as free radar illuminators. Every measurement is cryptographically attested via an Ed25519 witness chain.

-The system runs entirely on inexpensive hardware such as an ESP32 sensor mesh (as low as ~$1 per node). Small programmable edge modules analyze signals locally and learn the RF signature of a room over time, allowing the system to separate the environment from the activity happening inside it.
-
-Because RuView learns in proximity to the signals it observes, it improves as it operates. Each deployment develops a local model of its surroundings and continuously adapts without requiring cameras, labeled data, or cloud infrastructure.
-
-In practice this means ordinary environments gain a new kind of spatial awareness. Rooms, buildings, and devices begin to sense presence, movement, and vital activity using the signals that already fill the space.
+RuView also supports pose estimation (17 COCO keypoints via the WiFlow architecture), trained entirely without cameras using 10 sensor signals — a technique pioneered from the original *DensePose From WiFi* research at Carnegie Mellon University.

 ### Built for low-power edge applications

@ -41,7 +40,7 @@ In practice this means ordinary environments gain a new kind of spatial awarenes

 [![Rust 1.85+](https://img.shields.io/badge/rust-1.85+-orange.svg)](https://www.rust-lang.org/)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
-[![Tests: 1300+](https://img.shields.io/badge/tests-1300%2B-brightgreen.svg)](https://github.com/ruvnet/RuView)
+[![Tests: 1463](https://img.shields.io/badge/tests-1463%20passed-brightgreen.svg)](https://github.com/ruvnet/RuView)
 [![Docker: multi-arch](https://img.shields.io/badge/docker-amd64%20%2B%20arm64-blue.svg)](https://hub.docker.com/r/ruvnet/wifi-densepose)
 [![Vital Signs](https://img.shields.io/badge/vital%20signs-breathing%20%2B%20heartbeat-red.svg)](#vital-sign-detection)
 [![ESP32 Ready](https://img.shields.io/badge/ESP32--S3-CSI%20streaming-purple.svg)](#esp32-s3-hardware-pipeline)
@ -50,43 +49,339 @@ In practice this means ordinary environments gain a new kind of spatial awarenes
 
 > | What | How | Speed |
 > |------|-----|-------|
-> | **Pose estimation** | CSI subcarrier amplitude/phase → DensePose UV maps | 54K fps (Rust) |
-> | **Breathing detection** | Bandpass 0.1-0.5 Hz → FFT peak | 6-30 BPM |
-> | **Heart rate** | Bandpass 0.8-2.0 Hz → FFT peak | 40-120 BPM |
-> | **Presence sensing** | RSSI variance + motion band power | < 1ms latency |
+> | **Pose estimation** | CSI subcarrier amplitude/phase → 17 COCO keypoints | 171K emb/s (M4 Pro) |
+> | **Breathing detection** | Bandpass 0.1-0.5 Hz → zero-crossing BPM | 6-30 BPM |
+> | **Heart rate** | Bandpass 0.8-2.0 Hz → zero-crossing BPM | 40-120 BPM |
+> | **Presence sensing** | Trained model + PIR fusion — 100% accuracy | 0.012 ms latency |
 > | **Through-wall** | Fresnel zone geometry + multipath modeling | Up to 5m depth |
+> | **Edge intelligence** | 8-dim feature vectors + RVF store on Cognitum Seed | $140 total BOM |
+> | **Camera-free training** | 10 sensor signals, no labels needed | 84s on M4 Pro |
+> | **Camera-supervised training** | MediaPipe + ESP32 CSI → 92.9% PCK@20 | 19 min on laptop |
+> | **Multi-frequency mesh** | Channel hopping across 6 bands, neighbor APs as illuminators | 3x sensing bandwidth |

 ```bash
-# 30 seconds to live sensing — no toolchain required
+# Option 1: Docker (simulated data, no hardware needed)
 docker pull ruvnet/wifi-densepose:latest
 docker run -p 3000:3000 ruvnet/wifi-densepose:latest
 # Open http://localhost:3000
+
+# Option 2: Live sensing with ESP32-S3 hardware ($9)
+# Flash firmware, provision WiFi, and start sensing:
+python -m esptool --chip esp32s3 --port COM9 --baud 460800 \
+  write_flash 0x0 bootloader.bin 0x8000 partition-table.bin \
+  0xf000 ota_data_initial.bin 0x20000 esp32-csi-node.bin
+python firmware/esp32-csi-node/provision.py --port COM9 \
+  --ssid "YourWiFi" --password "secret" --target-ip 192.168.1.20
+
+# Option 3: Full system with Cognitum Seed ($140)
+# ESP32 streams CSI → bridge forwards to Seed for persistent storage + kNN + witness chain
+node scripts/rf-scan.js --port 5006           # Live RF room scan
+node scripts/snn-csi-processor.js --port 5006  # SNN real-time learning
+node scripts/mincut-person-counter.js --port 5006  # Correct person counting
 ```

 > [!NOTE]
-> **CSI-capable hardware required.** Pose estimation, vital signs, and through-wall sensing rely on Channel State Information (CSI) — per-subcarrier amplitude and phase data that standard consumer WiFi does not expose. You need CSI-capable hardware (ESP32-S3 or a research NIC) for full functionality. Consumer WiFi laptops can only provide RSSI-based presence detection, which is significantly less capable.
+> **CSI-capable hardware recommended.** Presence, vital signs, through-wall sensing, and all advanced capabilities require Channel State Information (CSI) from an ESP32-S3 ($9) or research NIC. The Docker image runs with simulated data for evaluation. Consumer WiFi laptops provide RSSI-only presence detection.

 > **Hardware options** for live CSI capture:
 >
 > | Option | Hardware | Cost | Full CSI | Capabilities |
 > |--------|----------|------|----------|-------------|
-> | **ESP32 Mesh** (recommended) | 3-6x ESP32-S3 + WiFi router | ~$54 | Yes | Pose, breathing, heartbeat, motion, presence |
+> | **ESP32 + Cognitum Seed** (recommended) | ESP32-S3 + [Cognitum Seed](https://cognitum.one) | ~$140 | Yes | Pose, breathing, heartbeat, motion, presence + persistent vector store, kNN search, witness chain, MCP proxy |
+> | **ESP32 Mesh** | 3-6x ESP32-S3 + WiFi router | ~$54 | Yes | Pose, breathing, heartbeat, motion, presence |
 > | **Research NIC** | Intel 5300 / Atheros AR9580 | ~$50-100 | Yes | Full CSI with 3x3 MIMO |
 > | **Any WiFi** | Windows, macOS, or Linux laptop | $0 | No | RSSI-only: coarse presence and motion |
 >
-> No hardware? Verify the signal processing pipeline with the deterministic reference signal: `python v1/data/proof/verify.py`
+> No hardware? Verify the signal processing pipeline with the deterministic reference signal: `python archive/v1/data/proof/verify.py`
 >
 ---

+### Real-Time Dense Point Cloud (NEW)
+
+RuView now generates **real-time 3D point clouds** by fusing camera depth + WiFi CSI + mmWave radar. All sensors stream simultaneously into a unified spatial model.
+
+| Sensor | Data | Integration |
+|--------|------|-------------|
+| **Camera** | MiDaS monocular depth (GPU) | 640×480 → 19,200+ depth points per frame |
+| **ESP32 CSI** | ADR-018 binary frames (UDP) | RF tomography → 8×8×4 occupancy grid |
+| **WiFlow Pose** | 17 COCO keypoints from CSI | Skeleton overlay on point cloud |
+| **Vital Signs** | Breathing rate from CSI phase | Stored in ruOS brain every 60s |
+| **Motion** | CSI amplitude variance | Adaptive capture rate (skip depth when still) |
+
+**Quick start:**
+```bash
+cd v2
+cargo build --release -p wifi-densepose-pointcloud
+./target/release/ruview-pointcloud serve --bind 127.0.0.1:9880
+# Open http://localhost:9880 for live 3D viewer
+```
+
+**CLI commands:**
+```bash
+ruview-pointcloud demo                            # synthetic demo
+ruview-pointcloud serve --bind 127.0.0.1:9880     # live server + Three.js viewer
+ruview-pointcloud capture --output room.ply       # capture to PLY
+ruview-pointcloud train                           # depth calibration + DPO pairs
+ruview-pointcloud cameras                         # list available cameras
+ruview-pointcloud csi-test --count 100            # send test CSI frames
+ruview-pointcloud fingerprint office --seconds 5  # record named CSI room fingerprint
+```
+
+The HTTP/viewer server defaults to **loopback (`127.0.0.1`)** — exposing live camera/CSI/vitals on `0.0.0.0` is an explicit opt-in. Brain URL defaults to `http://127.0.0.1:9876` and is overridable via `RUVIEW_BRAIN_URL` env var or the `--brain` flag on `serve`/`train`.
+
+The pose overlay currently uses an **amplitude-energy heuristic** (`heuristic_pose_from_amplitude`) rather than trained WiFlow inference — real ONNX/Candle inference is tracked as a follow-up.
+
+**Performance:** 22ms pipeline, 905 req/s API, 40K voxel room model from 20 frames.
+
+**Brain integration:** Spatial observations (motion, vitals, skeleton, occupancy) sync to the ruOS brain every 60 seconds for agent reasoning.
+
+See [PR #405](https://github.com/ruvnet/RuView/pull/405) for full details.
+
+### What's New in v0.7.0
+
+<details>
+<summary><strong>Camera Ground-Truth Training — 92.9% PCK@20</strong></summary>
+
+**v0.7.0 adds camera-supervised pose training** using MediaPipe + real ESP32 CSI data:
+
+| Capability | What it does | ADR |
+|-----------|-------------|-----|
+| **Camera ground-truth collection** | MediaPipe PoseLandmarker captures 17 COCO keypoints at 30fps, synced with ESP32 CSI | [ADR-079](docs/adr/ADR-079-camera-ground-truth-training.md) |
+| **ruvector subcarrier selection** | Variance-based top-K reduces input by 50% (70→35 subcarriers) | ADR-079 O6 |
+| **Stoer-Wagner min-cut** | Person-specific subcarrier cluster separation for multi-person training | ADR-079 O8 |
+| **Scalable WiFlow model** | 4 presets: lite (189K) → small (474K) → medium (800K) → full (7.7M params) | ADR-079 |
+
+```bash
+# Collect ground truth (camera + ESP32 simultaneously)
+python scripts/collect-ground-truth.py --duration 300 --preview
+python scripts/record-csi-udp.py --duration 300
+
+# Align CSI windows with camera keypoints
+node scripts/align-ground-truth.js --gt data/ground-truth/*.jsonl --csi data/recordings/*.csi.jsonl
+
+# Train WiFlow model (start lite, scale up as data grows)
+node scripts/train-wiflow-supervised.js --data data/paired/*.jsonl --scale lite
+
+# Evaluate
+node scripts/eval-wiflow.js --model models/wiflow-real/wiflow-v1.json --data data/paired/*.jsonl
+```
+
+**Result: 92.9% PCK@20** from a 5-minute data collection session with one ESP32-S3 and one webcam.
+
+| Metric | Before (proxy) | After (camera-supervised) |
+|--------|----------------|--------------------------|
+| PCK@20 | 0% | **92.9%** |
+| Eval loss | 0.700 | **0.082** |
+| Bone constraint | N/A | **0.008** |
+| Training time | N/A | **19 minutes** |
+| Model size | N/A | **974 KB** |
+
+Pre-trained model: [HuggingFace ruv/ruview/wiflow-v1](https://huggingface.co/ruv/ruview)
+
+</details>
+
+### Pre-Trained Models (v0.6.0) — No Training Required
+
+<details>
+<summary><strong>Download from HuggingFace and start sensing immediately</strong></summary>
+
+Pre-trained models are available on HuggingFace:
+> **https://huggingface.co/ruv/ruview** (primary) | [mirror](https://huggingface.co/ruvnet/wifi-densepose-pretrained)
+
+Trained on 60,630 real-world samples from an 8-hour overnight collection. Just download and run — no datasets, no GPU, no training needed.
+
+| Model | Size | What it does |
+|-------|------|-------------|
+| `model.safetensors` | 48 KB | Contrastive encoder — 128-dim embeddings for presence, activity, environment |
+| `model-q4.bin` | 8 KB | 4-bit quantized — fits in ESP32-S3 SRAM for edge inference |
+| `model-q2.bin` | 4 KB | 2-bit ultra-compact for memory-constrained devices |
+| `presence-head.json` | 2.6 KB | 100% accurate presence detection head |
+| `node-1.json` / `node-2.json` | 21 KB | Per-room LoRA adapters (swap for new rooms) |
+
+```bash
+# Download and use (Python)
+pip install huggingface_hub
+huggingface-cli download ruv/ruview --local-dir models/
+
+# Or use directly with the sensing pipeline
+node scripts/train-ruvllm.js --data data/recordings/*.csi.jsonl  # retrain on your own data
+node scripts/benchmark-ruvllm.js --model models/csi-ruvllm       # benchmark
+```
+
+**Benchmarks (Apple M4 Pro, retrained on overnight data):**
+
+| What we measured | Result | Why it matters |
+|-----------------|--------|---------------|
+| **Presence detection** | **100% accuracy** | Never misses a person, never false alarms |
+| **Inference speed** | **0.008 ms** per embedding | 125,000x faster than real-time |
+| **Throughput** | **164,183 embeddings/sec** | One Mac Mini handles 1,600+ ESP32 nodes |
+| **Contrastive learning** | **51.6% improvement** | Strong pattern learning from real overnight data |
+| **Model size** | **8 KB** (4-bit quantized) | Fits in ESP32 SRAM — no server needed |
+| **Total hardware cost** | **$140** | ESP32 ($9) + [Cognitum Seed](https://cognitum.one) ($131) |
+
+</details>
+
+### 17 Sensing Applications (v0.6.0)
+
+<details>
+<summary><strong>Health, environment, security, and multi-frequency mesh sensing</strong></summary>
+
+All applications run from a single ESP32 + optional Cognitum Seed. No camera, no cloud, no internet.
+
+**Health & Wellness:**
+
+| Application | Script | What it detects |
+|------------|--------|----------------|
+| Sleep Monitor | `node scripts/sleep-monitor.js` | Sleep stages (deep/light/REM/awake), efficiency, hypnogram |
+| Apnea Detector | `node scripts/apnea-detector.js` | Breathing pauses >10s, AHI severity scoring |
+| Stress Monitor | `node scripts/stress-monitor.js` | Heart rate variability, LF/HF stress ratio |
+| Gait Analyzer | `node scripts/gait-analyzer.js` | Walking cadence, stride asymmetry, tremor detection |
+
+**Environment & Security:**
+
+| Application | Script | What it detects |
+|------------|--------|----------------|
+| Person Counter | `node scripts/mincut-person-counter.js` | Correct occupancy count (fixes #348) |
+| Room Fingerprint | `node scripts/room-fingerprint.js` | Activity state clustering, daily patterns, anomalies |
+| Material Detector | `node scripts/material-detector.js` | New/moved objects via subcarrier null changes |
+| Device Fingerprint | `node scripts/device-fingerprint.js` | Electronic device activity (printer, router, etc.) |
+
+**Multi-Frequency Mesh** (requires `--hop-channels` provisioning):
+
+| Application | Script | What it detects |
+|------------|--------|----------------|
+| RF Tomography | `node scripts/rf-tomography.js` | 2D room imaging via RF backprojection |
+| Passive Radar | `node scripts/passive-radar.js` | Neighbor WiFi APs as bistatic radar illuminators |
+| Material Classifier | `node scripts/material-classifier.js` | Metal/water/wood/glass from frequency response |
+| Through-Wall | `node scripts/through-wall-detector.js` | Motion behind walls using lower-frequency penetration |
+
+All scripts support `--replay data/recordings/*.csi.jsonl` for offline analysis and `--json` for programmatic output.
+
+</details>
+
+### What's New in v0.5.5
+
+<details>
+<summary><strong>Advanced Sensing: SNN + MinCut + WiFlow + Multi-Frequency Mesh</strong></summary>
+
+**v0.5.5 adds four new sensing capabilities** built on the [ruvector](https://github.com/ruvnet/ruvector) ecosystem:
+
+| Capability | What it does | ADR |
+|-----------|-------------|-----|
+| **Spiking Neural Network** | Adapts to your room in <30s with STDP online learning — no labels, no batches, 16-160x less compute | [ADR-074](docs/adr/ADR-074-spiking-neural-csi-sensing.md) |
+| **MinCut Person Counting** | Stoer-Wagner min-cut on subcarrier correlation graph — **fixes #348** (was always 4, now correct) | [ADR-075](docs/adr/ADR-075-mincut-person-separation.md) |
+| **CNN Spectrogram Embeddings** | Treat CSI as a 64×20 image → 128-dim embedding for environment fingerprinting (0.95+ similarity) | [ADR-076](docs/adr/ADR-076-csi-spectrogram-embeddings.md) |
+| **WiFlow SOTA Architecture** | TCN + axial attention + pose decoder → 17 COCO keypoints, 1.8M params (881 KB at 4-bit) | [ADR-072](docs/adr/ADR-072-wiflow-architecture.md) |
+| **Multi-Frequency Mesh** | Channel hopping across 6 bands, neighbor WiFi as passive radar illuminators | [ADR-073](docs/adr/ADR-073-multifrequency-mesh-scan.md) |
+
+```bash
+# Live RF room scan (spectrum visualization)
+node scripts/rf-scan.js --port 5006 --duration 30
+
+# Correct person counting (fixes #348)
+node scripts/mincut-person-counter.js --port 5006
+
+# SNN real-time adaptation
+node scripts/snn-csi-processor.js --port 5006
+
+# CNN spectrogram embeddings
+node scripts/csi-spectrogram.js --replay data/recordings/*.csi.jsonl
+
+# WiFlow 17-keypoint pose training
+node scripts/train-wiflow.js --data data/recordings/*.csi.jsonl
+
+# Enable channel hopping on ESP32
+python firmware/esp32-csi-node/provision.py --port COM9 --hop-channels "1,6,11"
+```
+
+**Validated benchmarks:**
+
+| Metric | v0.5.4 | v0.5.5 |
+|--------|--------|--------|
+| Person counting | Broken (always 4) | **Correct** (MinCut, 24/24) |
+| WiFi channels | 1 | **6** (multi-freq hopping) |
+| Null subcarriers | 19% blocked | **16%** (frequency diversity) |
+| Pose model | 16K params (FC only) | **1.8M params** (WiFlow) |
+| Online adaptation | None | **<30s** (SNN STDP) |
+| Fingerprint dims | 8 | **128** (CNN spectrogram) |
+| Multi-node fusion | Average | **GATv2 attention** |
+| New scripts | 0 | **15+** |
+| New ADRs | 3 | **8** (069-076) |
+
+</details>
+
+### What's New in v0.5.4
+
+<details>
+<summary><strong>Cognitum Seed Integration + Camera-Free Pose Training</strong></summary>
+
+**v0.5.4 transforms RuView from a real-time sensing tool into a persistent edge AI system.** Your ESP32 now remembers what it senses, learns without cameras, and proves its data cryptographically.
+
+| Capability | Details | Hardware |
+|-----------|---------|----------|
+| **Persistent vector store** | Every sensing event stored as searchable 8-dim vector in RVF format | ESP32 + [Cognitum Seed](https://cognitum.one) ($140) |
+| **kNN similarity search** | "Find the 10 most similar states to right now" — anomaly detection, fingerprinting | Cognitum Seed |
+| **Witness chain** | SHA-256 tamper-evident audit trail for every measurement (1,747 entries validated) | Cognitum Seed |
+| **Camera-free pose training** | 17 COCO keypoints from 10 sensor signals — PIR, RSSI triangulation, subcarrier asymmetry, vibration, BME280 | 2x ESP32 + Seed |
+| **Pre-trained model** | 82.8 KB (8 KB at 4-bit quantization), 100% presence accuracy, 0 skeleton violations | Download from release |
+| **Sub-ms inference** | 0.012 ms latency, 171,472 embeddings/sec on M4 Pro | Any machine with Node.js |
+| **SONA adaptation** | Adapts to new rooms in <1ms without retraining | ruvllm runtime |
+| **LoRA room adapters** | Per-node fine-tuning with 2,048 parameters per adapter | Automatic |
+| **114-tool MCP proxy** | AI assistants (Claude, GPT) query sensors directly via JSON-RPC | Cognitum Seed |
+| **Multi-frequency mesh** | Channel hopping across ch 1/3/5/6/9/11 — neighbor WiFi as passive radar | 2x ESP32 ($18) |
+| **RF room scanner** | Real-time spectrum visualization: nulls, reflectors, movement, multipath | `node scripts/rf-scan.js` |
+| **Security hardened** | Bearer tokens, TLS, source IP filtering, NaN rejection, credential rotation | All components |
+
+**Training pipeline (ruvllm, no PyTorch needed):**
+
+```bash
+# Collect data (2 min, ESP32s must be streaming)
+python scripts/collect-training-data.py --port 5006 --duration 120
+
+# Train — contrastive pretraining + task heads + LoRA + quantization + EWC
+node scripts/train-ruvllm.js --data data/recordings/pretrain-*.csi.jsonl
+
+# Camera-free 17-keypoint pose (uses PIR + RSSI + vibration + subcarrier asymmetry)
+node scripts/train-camera-free.js --data data/recordings/pretrain-*.csi.jsonl
+
+# Benchmark
+node scripts/benchmark-ruvllm.js --model models/csi-ruvllm
+```
+
+**Benchmarks — validated on real hardware (Apple M4 Pro + ESP32-S3 + Cognitum Seed):**
+
+| What we measured | Result | Why it matters |
+|-----------------|--------|---------------|
+| **Presence detection** | **100% accuracy** | Never misses a person, never false alarms |
+| **Person counting** | **24/24 correct** (MinCut) | Fixed the #1 user-reported issue |
+| **Inference speed** | **0.012 ms** per embedding | 83,000x faster than real-time |
+| **Throughput** | **171,472 embeddings/sec** | One Mac Mini handles 1,700+ ESP32 nodes |
+| **Training time** | **84 seconds** | From zero to trained model in under 2 minutes |
+| **Contrastive learning** | **33.9% improvement** | Model learns meaningful patterns from CSI |
+| **Model size** | **8 KB** (4-bit quantized) | Fits in ESP32 SRAM — no server needed |
+| **Skeleton physics** | **0 violations** in 100 frames | Every pose is anatomically valid |
+| **Pose keypoints** | **17 COCO keypoints** | Full body pose, no camera required |
+| **WiFi channels** | **6 simultaneous** | 3x more sensing data than single-channel |
+| **Online adaptation** | **<30 seconds** (SNN) | Learns a new room without retraining |
+| **Witness chain** | **2,547 entries** verified | Cryptographic proof every measurement is real |
+| **Test suite** | **1,463 tests passed** | Rock-solid foundation |
+| **Total hardware cost** | **$140** | ESP32 ($9) + [Cognitum Seed](https://cognitum.one) ($131) |
+
+See [ADR-069](docs/adr/ADR-069-cognitum-seed-csi-pipeline.md), [ADR-071](docs/adr/ADR-071-ruvllm-training-pipeline.md), and the [Cognitum Seed tutorial](docs/tutorials/cognitum-seed-pretraining.md) for full details.
+
+</details>
+
+---
+
 ## 📖 Documentation

 | Document | Description |
 |----------|-------------|
 | [User Guide](docs/user-guide.md) | Step-by-step guide: installation, first run, API usage, hardware setup, training |
 | [Build Guide](docs/build-guide.md) | Building from source (Rust and Python) |
-| [Architecture Decisions](docs/adr/README.md) | 62 ADRs — why each technical choice was made, organized by domain (hardware, signal processing, ML, platform, infrastructure) |
+| [Architecture Decisions](docs/adr/README.md) | 79 ADRs — why each technical choice was made, organized by domain (hardware, signal processing, ML, platform, infrastructure) |
 | [Domain Models](docs/ddd/README.md) | 7 DDD models (RuvSense, Signal Processing, Training Pipeline, Hardware Platform, Sensing Server, WiFi-Mat, CHCI) — bounded contexts, aggregates, domain events, and ubiquitous language |
-| [Desktop App](rust-port/wifi-densepose-rs/crates/wifi-densepose-desktop/README.md) | **WIP** — Tauri v2 desktop app for node management, OTA updates, WASM deployment, and mesh visualization |
+| [Desktop App](v2/crates/wifi-densepose-desktop/README.md) | **WIP** — Tauri v2 desktop app for node management, OTA updates, WASM deployment, and mesh visualization |
 | [Medical Examples](examples/medical/README.md) | Contactless blood pressure, heart rate, breathing rate via 60 GHz mmWave radar — $15 hardware, no wearable |

 ---
@ -286,24 +581,24 @@ Small programs that run directly on the ESP32 sensor — no internet needed, no
 | ⚛️ | [**Quantum-Inspired**](docs/edge-modules/autonomous.md) | Uses quantum-inspired math to map room-wide signal coherence and search for optimal sensor configurations |
 | 🤖 | [**Autonomous & Exotic**](docs/edge-modules/autonomous.md) | Self-managing sensor mesh — auto-heals dropped nodes, plans its own actions, and explores experimental signal representations |

-All implemented modules are `no_std` Rust, share a [common utility library](rust-port/wifi-densepose-rs/crates/wifi-densepose-wasm-edge/src/vendor_common.rs), and talk to the host through a 12-function API. Full documentation: [**Edge Modules Guide**](docs/edge-modules/README.md). See the [complete implemented module list](#edge-module-list) below.
+All implemented modules are `no_std` Rust, share a [common utility library](v2/crates/wifi-densepose-wasm-edge/src/vendor_common.rs), and talk to the host through a 12-function API. Full documentation: [**Edge Modules Guide**](docs/edge-modules/README.md). See the [complete implemented module list](#edge-module-list) below.

 <details id="edge-module-list">
 <summary><strong>🧩 Edge Intelligence — <a href="docs/edge-modules/README.md">All 65 Modules Implemented</a></strong> (ADR-041 complete)</summary>

-All 60 modules are implemented, tested (609 tests passing), and ready to deploy. They compile to `wasm32-unknown-unknown`, run on ESP32-S3 via WASM3, and share a [common utility library](rust-port/wifi-densepose-rs/crates/wifi-densepose-wasm-edge/src/vendor_common.rs). Source: [`crates/wifi-densepose-wasm-edge/src/`](rust-port/wifi-densepose-rs/crates/wifi-densepose-wasm-edge/src/)
+All 60 modules are implemented, tested (609 tests passing), and ready to deploy. They compile to `wasm32-unknown-unknown`, run on ESP32-S3 via WASM3, and share a [common utility library](v2/crates/wifi-densepose-wasm-edge/src/vendor_common.rs). Source: [`crates/wifi-densepose-wasm-edge/src/`](v2/crates/wifi-densepose-wasm-edge/src/)

 **Core modules** (ADR-040 flagship + early implementations):

 | Module | File | What It Does |
 |--------|------|-------------|
-| Gesture Classifier | [`gesture.rs`](rust-port/wifi-densepose-rs/crates/wifi-densepose-wasm-edge/src/gesture.rs) | DTW template matching for hand gestures |
-| Coherence Filter | [`coherence.rs`](rust-port/wifi-densepose-rs/crates/wifi-densepose-wasm-edge/src/coherence.rs) | Phase coherence gating for signal quality |
-| Adversarial Detector | [`adversarial.rs`](rust-port/wifi-densepose-rs/crates/wifi-densepose-wasm-edge/src/adversarial.rs) | Detects physically impossible signal patterns |
-| Intrusion Detector | [`intrusion.rs`](rust-port/wifi-densepose-rs/crates/wifi-densepose-wasm-edge/src/intrusion.rs) | Human vs non-human motion classification |
-| Occupancy Counter | [`occupancy.rs`](rust-port/wifi-densepose-rs/crates/wifi-densepose-wasm-edge/src/occupancy.rs) | Zone-level person counting |
-| Vital Trend | [`vital_trend.rs`](rust-port/wifi-densepose-rs/crates/wifi-densepose-wasm-edge/src/vital_trend.rs) | Long-term breathing and heart rate trending |
-| RVF Parser | [`rvf.rs`](rust-port/wifi-densepose-rs/crates/wifi-densepose-wasm-edge/src/rvf.rs) | RVF container format parsing |
+| Gesture Classifier | [`gesture.rs`](v2/crates/wifi-densepose-wasm-edge/src/gesture.rs) | DTW template matching for hand gestures |
+| Coherence Filter | [`coherence.rs`](v2/crates/wifi-densepose-wasm-edge/src/coherence.rs) | Phase coherence gating for signal quality |
+| Adversarial Detector | [`adversarial.rs`](v2/crates/wifi-densepose-wasm-edge/src/adversarial.rs) | Detects physically impossible signal patterns |
+| Intrusion Detector | [`intrusion.rs`](v2/crates/wifi-densepose-wasm-edge/src/intrusion.rs) | Human vs non-human motion classification |
+| Occupancy Counter | [`occupancy.rs`](v2/crates/wifi-densepose-wasm-edge/src/occupancy.rs) | Zone-level person counting |
+| Vital Trend | [`vital_trend.rs`](v2/crates/wifi-densepose-wasm-edge/src/vital_trend.rs) | Long-term breathing and heart rate trending |
+| RVF Parser | [`rvf.rs`](v2/crates/wifi-densepose-wasm-edge/src/rvf.rs) | RVF container format parsing |

 **Vendor-integrated modules** (24 modules, ADR-041 Category 7):

@ -311,128 +606,128 @@ All 60 modules are implemented, tested (609 tests passing), and ready to deploy.

 | Module | File | What It Does | Budget |
 |--------|------|-------------|--------|
-| Flash Attention | [`sig_flash_attention.rs`](rust-port/wifi-densepose-rs/crates/wifi-densepose-wasm-edge/src/sig_flash_attention.rs) | Tiled attention over 8 subcarrier groups — finds spatial focus regions and entropy | S (<5ms) |
-| Coherence Gate | [`sig_coherence_gate.rs`](rust-port/wifi-densepose-rs/crates/wifi-densepose-wasm-edge/src/sig_coherence_gate.rs) | Z-score phasor gating with hysteresis: Accept / PredictOnly / Reject / Recalibrate | L (<2ms) |
-| Temporal Compress | [`sig_temporal_compress.rs`](rust-port/wifi-densepose-rs/crates/wifi-densepose-wasm-edge/src/sig_temporal_compress.rs) | 3-tier adaptive quantization (8-bit hot / 5-bit warm / 3-bit cold) | L (<2ms) |
-| Sparse Recovery | [`sig_sparse_recovery.rs`](rust-port/wifi-densepose-rs/crates/wifi-densepose-wasm-edge/src/sig_sparse_recovery.rs) | ISTA L1 reconstruction for dropped subcarriers | H (<10ms) |
-| Person Match | [`sig_mincut_person_match.rs`](rust-port/wifi-densepose-rs/crates/wifi-densepose-wasm-edge/src/sig_mincut_person_match.rs) | Hungarian-lite bipartite assignment for multi-person tracking | S (<5ms) |
-| Optimal Transport | [`sig_optimal_transport.rs`](rust-port/wifi-densepose-rs/crates/wifi-densepose-wasm-edge/src/sig_optimal_transport.rs) | Sliced Wasserstein-1 distance with 4 projections | L (<2ms) |
+| Flash Attention | [`sig_flash_attention.rs`](v2/crates/wifi-densepose-wasm-edge/src/sig_flash_attention.rs) | Tiled attention over 8 subcarrier groups — finds spatial focus regions and entropy | S (<5ms) |
+| Coherence Gate | [`sig_coherence_gate.rs`](v2/crates/wifi-densepose-wasm-edge/src/sig_coherence_gate.rs) | Z-score phasor gating with hysteresis: Accept / PredictOnly / Reject / Recalibrate | L (<2ms) |
+| Temporal Compress | [`sig_temporal_compress.rs`](v2/crates/wifi-densepose-wasm-edge/src/sig_temporal_compress.rs) | 3-tier adaptive quantization (8-bit hot / 5-bit warm / 3-bit cold) | L (<2ms) |
+| Sparse Recovery | [`sig_sparse_recovery.rs`](v2/crates/wifi-densepose-wasm-edge/src/sig_sparse_recovery.rs) | ISTA L1 reconstruction for dropped subcarriers | H (<10ms) |
+| Person Match | [`sig_mincut_person_match.rs`](v2/crates/wifi-densepose-wasm-edge/src/sig_mincut_person_match.rs) | Hungarian-lite bipartite assignment for multi-person tracking | S (<5ms) |
+| Optimal Transport | [`sig_optimal_transport.rs`](v2/crates/wifi-densepose-wasm-edge/src/sig_optimal_transport.rs) | Sliced Wasserstein-1 distance with 4 projections | L (<2ms) |

 **🧠 Adaptive Learning** — On-device learning without cloud connectivity

 | Module | File | What It Does | Budget |
 |--------|------|-------------|--------|
-| DTW Gesture Learn | [`lrn_dtw_gesture_learn.rs`](rust-port/wifi-densepose-rs/crates/wifi-densepose-wasm-edge/src/lrn_dtw_gesture_learn.rs) | User-teachable gesture recognition — 3-rehearsal protocol, 16 templates | S (<5ms) |
-| Anomaly Attractor | [`lrn_anomaly_attractor.rs`](rust-port/wifi-densepose-rs/crates/wifi-densepose-wasm-edge/src/lrn_anomaly_attractor.rs) | 4D dynamical system attractor classification with Lyapunov exponents | H (<10ms) |
-| Meta Adapt | [`lrn_meta_adapt.rs`](rust-port/wifi-densepose-rs/crates/wifi-densepose-wasm-edge/src/lrn_meta_adapt.rs) | Hill-climbing self-optimization with safety rollback | L (<2ms) |
-| EWC Lifelong | [`lrn_ewc_lifelong.rs`](rust-port/wifi-densepose-rs/crates/wifi-densepose-wasm-edge/src/lrn_ewc_lifelong.rs) | Elastic Weight Consolidation — remembers past tasks while learning new ones | S (<5ms) |
+| DTW Gesture Learn | [`lrn_dtw_gesture_learn.rs`](v2/crates/wifi-densepose-wasm-edge/src/lrn_dtw_gesture_learn.rs) | User-teachable gesture recognition — 3-rehearsal protocol, 16 templates | S (<5ms) |
+| Anomaly Attractor | [`lrn_anomaly_attractor.rs`](v2/crates/wifi-densepose-wasm-edge/src/lrn_anomaly_attractor.rs) | 4D dynamical system attractor classification with Lyapunov exponents | H (<10ms) |
+| Meta Adapt | [`lrn_meta_adapt.rs`](v2/crates/wifi-densepose-wasm-edge/src/lrn_meta_adapt.rs) | Hill-climbing self-optimization with safety rollback | L (<2ms) |
+| EWC Lifelong | [`lrn_ewc_lifelong.rs`](v2/crates/wifi-densepose-wasm-edge/src/lrn_ewc_lifelong.rs) | Elastic Weight Consolidation — remembers past tasks while learning new ones | S (<5ms) |

 **🗺️ Spatial Reasoning** — Location, proximity, and influence mapping

 | Module | File | What It Does | Budget |
 |--------|------|-------------|--------|
-| PageRank Influence | [`spt_pagerank_influence.rs`](rust-port/wifi-densepose-rs/crates/wifi-densepose-wasm-edge/src/spt_pagerank_influence.rs) | 4x4 cross-correlation graph with power iteration PageRank | L (<2ms) |
-| Micro HNSW | [`spt_micro_hnsw.rs`](rust-port/wifi-densepose-rs/crates/wifi-densepose-wasm-edge/src/spt_micro_hnsw.rs) | 64-vector navigable small-world graph for nearest-neighbor search | S (<5ms) |
-| Spiking Tracker | [`spt_spiking_tracker.rs`](rust-port/wifi-densepose-rs/crates/wifi-densepose-wasm-edge/src/spt_spiking_tracker.rs) | 32 LIF neurons + 4 output zone neurons with STDP learning | S (<5ms) |
+| PageRank Influence | [`spt_pagerank_influence.rs`](v2/crates/wifi-densepose-wasm-edge/src/spt_pagerank_influence.rs) | 4x4 cross-correlation graph with power iteration PageRank | L (<2ms) |
+| Micro HNSW | [`spt_micro_hnsw.rs`](v2/crates/wifi-densepose-wasm-edge/src/spt_micro_hnsw.rs) | 64-vector navigable small-world graph for nearest-neighbor search | S (<5ms) |
+| Spiking Tracker | [`spt_spiking_tracker.rs`](v2/crates/wifi-densepose-wasm-edge/src/spt_spiking_tracker.rs) | 32 LIF neurons + 4 output zone neurons with STDP learning | S (<5ms) |

 **⏱️ Temporal Analysis** — Activity patterns, logic verification, autonomous planning

 | Module | File | What It Does | Budget |
 |--------|------|-------------|--------|
-| Pattern Sequence | [`tmp_pattern_sequence.rs`](rust-port/wifi-densepose-rs/crates/wifi-densepose-wasm-edge/src/tmp_pattern_sequence.rs) | Activity routine detection and deviation alerts | S (<5ms) |
-| Temporal Logic Guard | [`tmp_temporal_logic_guard.rs`](rust-port/wifi-densepose-rs/crates/wifi-densepose-wasm-edge/src/tmp_temporal_logic_guard.rs) | LTL formula verification on CSI event streams | S (<5ms) |
-| GOAP Autonomy | [`tmp_goap_autonomy.rs`](rust-port/wifi-densepose-rs/crates/wifi-densepose-wasm-edge/src/tmp_goap_autonomy.rs) | Goal-Oriented Action Planning for autonomous module management | S (<5ms) |
+| Pattern Sequence | [`tmp_pattern_sequence.rs`](v2/crates/wifi-densepose-wasm-edge/src/tmp_pattern_sequence.rs) | Activity routine detection and deviation alerts | S (<5ms) |
+| Temporal Logic Guard | [`tmp_temporal_logic_guard.rs`](v2/crates/wifi-densepose-wasm-edge/src/tmp_temporal_logic_guard.rs) | LTL formula verification on CSI event streams | S (<5ms) |
+| GOAP Autonomy | [`tmp_goap_autonomy.rs`](v2/crates/wifi-densepose-wasm-edge/src/tmp_goap_autonomy.rs) | Goal-Oriented Action Planning for autonomous module management | S (<5ms) |

 **🛡️ AI Security** — Tamper detection and behavioral anomaly profiling

 | Module | File | What It Does | Budget |
 |--------|------|-------------|--------|
-| Prompt Shield | [`ais_prompt_shield.rs`](rust-port/wifi-densepose-rs/crates/wifi-densepose-wasm-edge/src/ais_prompt_shield.rs) | FNV-1a replay detection, injection detection (10x amplitude), jamming (SNR) | L (<2ms) |
-| Behavioral Profiler | [`ais_behavioral_profiler.rs`](rust-port/wifi-densepose-rs/crates/wifi-densepose-wasm-edge/src/ais_behavioral_profiler.rs) | 6D behavioral profile with Mahalanobis anomaly scoring | S (<5ms) |
+| Prompt Shield | [`ais_prompt_shield.rs`](v2/crates/wifi-densepose-wasm-edge/src/ais_prompt_shield.rs) | FNV-1a replay detection, injection detection (10x amplitude), jamming (SNR) | L (<2ms) |
+| Behavioral Profiler | [`ais_behavioral_profiler.rs`](v2/crates/wifi-densepose-wasm-edge/src/ais_behavioral_profiler.rs) | 6D behavioral profile with Mahalanobis anomaly scoring | S (<5ms) |

 **⚛️ Quantum-Inspired** — Quantum computing metaphors applied to CSI analysis

 | Module | File | What It Does | Budget |
 |--------|------|-------------|--------|
-| Quantum Coherence | [`qnt_quantum_coherence.rs`](rust-port/wifi-densepose-rs/crates/wifi-densepose-wasm-edge/src/qnt_quantum_coherence.rs) | Bloch sphere mapping, Von Neumann entropy, decoherence detection | S (<5ms) |
-| Interference Search | [`qnt_interference_search.rs`](rust-port/wifi-densepose-rs/crates/wifi-densepose-wasm-edge/src/qnt_interference_search.rs) | 16 room-state hypotheses with Grover-inspired oracle + diffusion | S (<5ms) |
+| Quantum Coherence | [`qnt_quantum_coherence.rs`](v2/crates/wifi-densepose-wasm-edge/src/qnt_quantum_coherence.rs) | Bloch sphere mapping, Von Neumann entropy, decoherence detection | S (<5ms) |
+| Interference Search | [`qnt_interference_search.rs`](v2/crates/wifi-densepose-wasm-edge/src/qnt_interference_search.rs) | 16 room-state hypotheses with Grover-inspired oracle + diffusion | S (<5ms) |

 **🤖 Autonomous Systems** — Self-governing and self-healing behaviors

 | Module | File | What It Does | Budget |
 |--------|------|-------------|--------|
-| Psycho-Symbolic | [`aut_psycho_symbolic.rs`](rust-port/wifi-densepose-rs/crates/wifi-densepose-wasm-edge/src/aut_psycho_symbolic.rs) | 16-rule forward-chaining knowledge base with contradiction detection | S (<5ms) |
-| Self-Healing Mesh | [`aut_self_healing_mesh.rs`](rust-port/wifi-densepose-rs/crates/wifi-densepose-wasm-edge/src/aut_self_healing_mesh.rs) | 8-node mesh with health tracking, degradation/recovery, coverage healing | S (<5ms) |
+| Psycho-Symbolic | [`aut_psycho_symbolic.rs`](v2/crates/wifi-densepose-wasm-edge/src/aut_psycho_symbolic.rs) | 16-rule forward-chaining knowledge base with contradiction detection | S (<5ms) |
+| Self-Healing Mesh | [`aut_self_healing_mesh.rs`](v2/crates/wifi-densepose-wasm-edge/src/aut_self_healing_mesh.rs) | 8-node mesh with health tracking, degradation/recovery, coverage healing | S (<5ms) |

 **🔮 Exotic (Vendor)** — Novel mathematical models for CSI interpretation

 | Module | File | What It Does | Budget |
 |--------|------|-------------|--------|
-| Time Crystal | [`exo_time_crystal.rs`](rust-port/wifi-densepose-rs/crates/wifi-densepose-wasm-edge/src/exo_time_crystal.rs) | Autocorrelation subharmonic detection in 256-frame history | S (<5ms) |
-| Hyperbolic Space | [`exo_hyperbolic_space.rs`](rust-port/wifi-densepose-rs/crates/wifi-densepose-wasm-edge/src/exo_hyperbolic_space.rs) | Poincare ball embedding with 32 reference locations, hyperbolic distance | S (<5ms) |
+| Time Crystal | [`exo_time_crystal.rs`](v2/crates/wifi-densepose-wasm-edge/src/exo_time_crystal.rs) | Autocorrelation subharmonic detection in 256-frame history | S (<5ms) |
+| Hyperbolic Space | [`exo_hyperbolic_space.rs`](v2/crates/wifi-densepose-wasm-edge/src/exo_hyperbolic_space.rs) | Poincare ball embedding with 32 reference locations, hyperbolic distance | S (<5ms) |

 **🏥 Medical & Health** (Category 1) — Contactless health monitoring

 | Module | File | What It Does | Budget |
 |--------|------|-------------|--------|
-| Sleep Apnea | [`med_sleep_apnea.rs`](rust-port/wifi-densepose-rs/crates/wifi-densepose-wasm-edge/src/med_sleep_apnea.rs) | Detects breathing pauses during sleep | S (<5ms) |
-| Cardiac Arrhythmia | [`med_cardiac_arrhythmia.rs`](rust-port/wifi-densepose-rs/crates/wifi-densepose-wasm-edge/src/med_cardiac_arrhythmia.rs) | Monitors heart rate for irregular rhythms | S (<5ms) |
-| Respiratory Distress | [`med_respiratory_distress.rs`](rust-port/wifi-densepose-rs/crates/wifi-densepose-wasm-edge/src/med_respiratory_distress.rs) | Alerts on abnormal breathing patterns | S (<5ms) |
-| Gait Analysis | [`med_gait_analysis.rs`](rust-port/wifi-densepose-rs/crates/wifi-densepose-wasm-edge/src/med_gait_analysis.rs) | Tracks walking patterns and detects changes | S (<5ms) |
-| Seizure Detection | [`med_seizure_detect.rs`](rust-port/wifi-densepose-rs/crates/wifi-densepose-wasm-edge/src/med_seizure_detect.rs) | 6-state machine for tonic-clonic seizure recognition | S (<5ms) |
+| Sleep Apnea | [`med_sleep_apnea.rs`](v2/crates/wifi-densepose-wasm-edge/src/med_sleep_apnea.rs) | Detects breathing pauses during sleep | S (<5ms) |
+| Cardiac Arrhythmia | [`med_cardiac_arrhythmia.rs`](v2/crates/wifi-densepose-wasm-edge/src/med_cardiac_arrhythmia.rs) | Monitors heart rate for irregular rhythms | S (<5ms) |
+| Respiratory Distress | [`med_respiratory_distress.rs`](v2/crates/wifi-densepose-wasm-edge/src/med_respiratory_distress.rs) | Alerts on abnormal breathing patterns | S (<5ms) |
+| Gait Analysis | [`med_gait_analysis.rs`](v2/crates/wifi-densepose-wasm-edge/src/med_gait_analysis.rs) | Tracks walking patterns and detects changes | S (<5ms) |
+| Seizure Detection | [`med_seizure_detect.rs`](v2/crates/wifi-densepose-wasm-edge/src/med_seizure_detect.rs) | 6-state machine for tonic-clonic seizure recognition | S (<5ms) |

 **🔐 Security & Safety** (Category 2) — Perimeter and threat detection

 | Module | File | What It Does | Budget |
 |--------|------|-------------|--------|
-| Perimeter Breach | [`sec_perimeter_breach.rs`](rust-port/wifi-densepose-rs/crates/wifi-densepose-wasm-edge/src/sec_perimeter_breach.rs) | Detects boundary crossings with approach/departure | S (<5ms) |
-| Weapon Detection | [`sec_weapon_detect.rs`](rust-port/wifi-densepose-rs/crates/wifi-densepose-wasm-edge/src/sec_weapon_detect.rs) | Metal anomaly detection via CSI amplitude shifts | S (<5ms) |
-| Tailgating | [`sec_tailgating.rs`](rust-port/wifi-densepose-rs/crates/wifi-densepose-wasm-edge/src/sec_tailgating.rs) | Detects unauthorized follow-through at access points | S (<5ms) |
-| Loitering | [`sec_loitering.rs`](rust-port/wifi-densepose-rs/crates/wifi-densepose-wasm-edge/src/sec_loitering.rs) | Alerts when someone lingers too long in a zone | S (<5ms) |
-| Panic Motion | [`sec_panic_motion.rs`](rust-port/wifi-densepose-rs/crates/wifi-densepose-wasm-edge/src/sec_panic_motion.rs) | Detects fleeing, struggling, or panic movement | S (<5ms) |
+| Perimeter Breach | [`sec_perimeter_breach.rs`](v2/crates/wifi-densepose-wasm-edge/src/sec_perimeter_breach.rs) | Detects boundary crossings with approach/departure | S (<5ms) |
+| Weapon Detection | [`sec_weapon_detect.rs`](v2/crates/wifi-densepose-wasm-edge/src/sec_weapon_detect.rs) | Metal anomaly detection via CSI amplitude shifts | S (<5ms) |
+| Tailgating | [`sec_tailgating.rs`](v2/crates/wifi-densepose-wasm-edge/src/sec_tailgating.rs) | Detects unauthorized follow-through at access points | S (<5ms) |
+| Loitering | [`sec_loitering.rs`](v2/crates/wifi-densepose-wasm-edge/src/sec_loitering.rs) | Alerts when someone lingers too long in a zone | S (<5ms) |
+| Panic Motion | [`sec_panic_motion.rs`](v2/crates/wifi-densepose-wasm-edge/src/sec_panic_motion.rs) | Detects fleeing, struggling, or panic movement | S (<5ms) |

 **🏢 Smart Building** (Category 3) — Automation and energy efficiency

 | Module | File | What It Does | Budget |
 |--------|------|-------------|--------|
-| HVAC Presence | [`bld_hvac_presence.rs`](rust-port/wifi-densepose-rs/crates/wifi-densepose-wasm-edge/src/bld_hvac_presence.rs) | Occupancy-driven HVAC control with departure countdown | S (<5ms) |
-| Lighting Zones | [`bld_lighting_zones.rs`](rust-port/wifi-densepose-rs/crates/wifi-densepose-wasm-edge/src/bld_lighting_zones.rs) | Auto-dim/off lighting based on zone activity | S (<5ms) |
-| Elevator Count | [`bld_elevator_count.rs`](rust-port/wifi-densepose-rs/crates/wifi-densepose-wasm-edge/src/bld_elevator_count.rs) | Counts people entering/leaving with overload warning | S (<5ms) |
-| Meeting Room | [`bld_meeting_room.rs`](rust-port/wifi-densepose-rs/crates/wifi-densepose-wasm-edge/src/bld_meeting_room.rs) | Tracks meeting lifecycle: start, headcount, end, availability | S (<5ms) |
-| Energy Audit | [`bld_energy_audit.rs`](rust-port/wifi-densepose-rs/crates/wifi-densepose-wasm-edge/src/bld_energy_audit.rs) | Tracks after-hours usage and room utilization rates | S (<5ms) |
+| HVAC Presence | [`bld_hvac_presence.rs`](v2/crates/wifi-densepose-wasm-edge/src/bld_hvac_presence.rs) | Occupancy-driven HVAC control with departure countdown | S (<5ms) |
+| Lighting Zones | [`bld_lighting_zones.rs`](v2/crates/wifi-densepose-wasm-edge/src/bld_lighting_zones.rs) | Auto-dim/off lighting based on zone activity | S (<5ms) |
+| Elevator Count | [`bld_elevator_count.rs`](v2/crates/wifi-densepose-wasm-edge/src/bld_elevator_count.rs) | Counts people entering/leaving with overload warning | S (<5ms) |
+| Meeting Room | [`bld_meeting_room.rs`](v2/crates/wifi-densepose-wasm-edge/src/bld_meeting_room.rs) | Tracks meeting lifecycle: start, headcount, end, availability | S (<5ms) |
+| Energy Audit | [`bld_energy_audit.rs`](v2/crates/wifi-densepose-wasm-edge/src/bld_energy_audit.rs) | Tracks after-hours usage and room utilization rates | S (<5ms) |

 **🛒 Retail & Hospitality** (Category 4) — Customer insights without cameras

 | Module | File | What It Does | Budget |
 |--------|------|-------------|--------|
-| Queue Length | [`ret_queue_length.rs`](rust-port/wifi-densepose-rs/crates/wifi-densepose-wasm-edge/src/ret_queue_length.rs) | Estimates queue size and wait times | S (<5ms) |
-| Dwell Heatmap | [`ret_dwell_heatmap.rs`](rust-port/wifi-densepose-rs/crates/wifi-densepose-wasm-edge/src/ret_dwell_heatmap.rs) | Shows where people spend time (hot/cold zones) | S (<5ms) |
-| Customer Flow | [`ret_customer_flow.rs`](rust-port/wifi-densepose-rs/crates/wifi-densepose-wasm-edge/src/ret_customer_flow.rs) | Counts ins/outs and tracks net occupancy | S (<5ms) |
-| Table Turnover | [`ret_table_turnover.rs`](rust-port/wifi-densepose-rs/crates/wifi-densepose-wasm-edge/src/ret_table_turnover.rs) | Restaurant table lifecycle: seated, dining, vacated | S (<5ms) |
-| Shelf Engagement | [`ret_shelf_engagement.rs`](rust-port/wifi-densepose-rs/crates/wifi-densepose-wasm-edge/src/ret_shelf_engagement.rs) | Detects browsing, considering, and reaching for products | S (<5ms) |
+| Queue Length | [`ret_queue_length.rs`](v2/crates/wifi-densepose-wasm-edge/src/ret_queue_length.rs) | Estimates queue size and wait times | S (<5ms) |
+| Dwell Heatmap | [`ret_dwell_heatmap.rs`](v2/crates/wifi-densepose-wasm-edge/src/ret_dwell_heatmap.rs) | Shows where people spend time (hot/cold zones) | S (<5ms) |
+| Customer Flow | [`ret_customer_flow.rs`](v2/crates/wifi-densepose-wasm-edge/src/ret_customer_flow.rs) | Counts ins/outs and tracks net occupancy | S (<5ms) |
+| Table Turnover | [`ret_table_turnover.rs`](v2/crates/wifi-densepose-wasm-edge/src/ret_table_turnover.rs) | Restaurant table lifecycle: seated, dining, vacated | S (<5ms) |
+| Shelf Engagement | [`ret_shelf_engagement.rs`](v2/crates/wifi-densepose-wasm-edge/src/ret_shelf_engagement.rs) | Detects browsing, considering, and reaching for products | S (<5ms) |

 **🏭 Industrial & Specialized** (Category 5) — Safety and compliance

 | Module | File | What It Does | Budget |
 |--------|------|-------------|--------|
-| Forklift Proximity | [`ind_forklift_proximity.rs`](rust-port/wifi-densepose-rs/crates/wifi-densepose-wasm-edge/src/ind_forklift_proximity.rs) | Warns when people get too close to vehicles | S (<5ms) |
-| Confined Space | [`ind_confined_space.rs`](rust-port/wifi-densepose-rs/crates/wifi-densepose-wasm-edge/src/ind_confined_space.rs) | OSHA-compliant worker monitoring with extraction alerts | S (<5ms) |
-| Clean Room | [`ind_clean_room.rs`](rust-port/wifi-densepose-rs/crates/wifi-densepose-wasm-edge/src/ind_clean_room.rs) | Occupancy limits and turbulent motion detection | S (<5ms) |
-| Livestock Monitor | [`ind_livestock_monitor.rs`](rust-port/wifi-densepose-rs/crates/wifi-densepose-wasm-edge/src/ind_livestock_monitor.rs) | Animal presence, stillness, and escape alerts | S (<5ms) |
-| Structural Vibration | [`ind_structural_vibration.rs`](rust-port/wifi-densepose-rs/crates/wifi-densepose-wasm-edge/src/ind_structural_vibration.rs) | Seismic events, mechanical resonance, structural drift | S (<5ms) |
+| Forklift Proximity | [`ind_forklift_proximity.rs`](v2/crates/wifi-densepose-wasm-edge/src/ind_forklift_proximity.rs) | Warns when people get too close to vehicles | S (<5ms) |
+| Confined Space | [`ind_confined_space.rs`](v2/crates/wifi-densepose-wasm-edge/src/ind_confined_space.rs) | OSHA-compliant worker monitoring with extraction alerts | S (<5ms) |
+| Clean Room | [`ind_clean_room.rs`](v2/crates/wifi-densepose-wasm-edge/src/ind_clean_room.rs) | Occupancy limits and turbulent motion detection | S (<5ms) |
+| Livestock Monitor | [`ind_livestock_monitor.rs`](v2/crates/wifi-densepose-wasm-edge/src/ind_livestock_monitor.rs) | Animal presence, stillness, and escape alerts | S (<5ms) |
+| Structural Vibration | [`ind_structural_vibration.rs`](v2/crates/wifi-densepose-wasm-edge/src/ind_structural_vibration.rs) | Seismic events, mechanical resonance, structural drift | S (<5ms) |

 **🔮 Exotic & Research** (Category 6) — Experimental sensing applications

 | Module | File | What It Does | Budget |
 |--------|------|-------------|--------|
-| Dream Stage | [`exo_dream_stage.rs`](rust-port/wifi-densepose-rs/crates/wifi-densepose-wasm-edge/src/exo_dream_stage.rs) | Contactless sleep stage classification (wake/light/deep/REM) | S (<5ms) |
-| Emotion Detection | [`exo_emotion_detect.rs`](rust-port/wifi-densepose-rs/crates/wifi-densepose-wasm-edge/src/exo_emotion_detect.rs) | Arousal, stress, and calm detection from micro-movements | S (<5ms) |
-| Gesture Language | [`exo_gesture_language.rs`](rust-port/wifi-densepose-rs/crates/wifi-densepose-wasm-edge/src/exo_gesture_language.rs) | Sign language letter recognition via WiFi | S (<5ms) |
-| Music Conductor | [`exo_music_conductor.rs`](rust-port/wifi-densepose-rs/crates/wifi-densepose-wasm-edge/src/exo_music_conductor.rs) | Tempo and dynamic tracking from conducting gestures | S (<5ms) |
-| Plant Growth | [`exo_plant_growth.rs`](rust-port/wifi-densepose-rs/crates/wifi-densepose-wasm-edge/src/exo_plant_growth.rs) | Monitors plant growth, circadian rhythms, wilt detection | S (<5ms) |
-| Ghost Hunter | [`exo_ghost_hunter.rs`](rust-port/wifi-densepose-rs/crates/wifi-densepose-wasm-edge/src/exo_ghost_hunter.rs) | Environmental anomaly classification (draft/insect/wind/unknown) | S (<5ms) |
-| Rain Detection | [`exo_rain_detect.rs`](rust-port/wifi-densepose-rs/crates/wifi-densepose-wasm-edge/src/exo_rain_detect.rs) | Detects rain onset, intensity, and cessation via signal scatter | S (<5ms) |
-| Breathing Sync | [`exo_breathing_sync.rs`](rust-port/wifi-densepose-rs/crates/wifi-densepose-wasm-edge/src/exo_breathing_sync.rs) | Detects synchronized breathing between multiple people | S (<5ms) |
+| Dream Stage | [`exo_dream_stage.rs`](v2/crates/wifi-densepose-wasm-edge/src/exo_dream_stage.rs) | Contactless sleep stage classification (wake/light/deep/REM) | S (<5ms) |
+| Emotion Detection | [`exo_emotion_detect.rs`](v2/crates/wifi-densepose-wasm-edge/src/exo_emotion_detect.rs) | Arousal, stress, and calm detection from micro-movements | S (<5ms) |
+| Gesture Language | [`exo_gesture_language.rs`](v2/crates/wifi-densepose-wasm-edge/src/exo_gesture_language.rs) | Sign language letter recognition via WiFi | S (<5ms) |
+| Music Conductor | [`exo_music_conductor.rs`](v2/crates/wifi-densepose-wasm-edge/src/exo_music_conductor.rs) | Tempo and dynamic tracking from conducting gestures | S (<5ms) |
+| Plant Growth | [`exo_plant_growth.rs`](v2/crates/wifi-densepose-wasm-edge/src/exo_plant_growth.rs) | Monitors plant growth, circadian rhythms, wilt detection | S (<5ms) |
+| Ghost Hunter | [`exo_ghost_hunter.rs`](v2/crates/wifi-densepose-wasm-edge/src/exo_ghost_hunter.rs) | Environmental anomaly classification (draft/insect/wind/unknown) | S (<5ms) |
+| Rain Detection | [`exo_rain_detect.rs`](v2/crates/wifi-densepose-wasm-edge/src/exo_rain_detect.rs) | Detects rain onset, intensity, and cessation via signal scatter | S (<5ms) |
+| Breathing Sync | [`exo_breathing_sync.rs`](v2/crates/wifi-densepose-wasm-edge/src/exo_breathing_sync.rs) | Detects synchronized breathing between multiple people | S (<5ms) |

 </details>

@ -560,7 +855,7 @@ git clone https://github.com/ruvnet/RuView.git
 cd RuView

 # Rust (primary — 810x faster)
-cd rust-port/wifi-densepose-rs
+cd v2
 cargo build --release
 cargo test --workspace

@ -650,10 +945,12 @@ cargo add wifi-densepose-ruvector   # RuVector v2.0.4 integration layer (ADR-017
 | [`wifi-densepose-api`](https://crates.io/crates/wifi-densepose-api) | REST + WebSocket API layer | -- | [![crates.io](https://img.shields.io/crates/v/wifi-densepose-api.svg)](https://crates.io/crates/wifi-densepose-api) |
 | [`wifi-densepose-config`](https://crates.io/crates/wifi-densepose-config) | Configuration management | -- | [![crates.io](https://img.shields.io/crates/v/wifi-densepose-config.svg)](https://crates.io/crates/wifi-densepose-config) |
 | [`wifi-densepose-db`](https://crates.io/crates/wifi-densepose-db) | Database persistence (PostgreSQL, SQLite, Redis) | -- | [![crates.io](https://img.shields.io/crates/v/wifi-densepose-db.svg)](https://crates.io/crates/wifi-densepose-db) |
+| `wifi-densepose-pointcloud` | Real-time dense point cloud from camera + WiFi CSI fusion (Three.js viewer, brain bridge). Workspace-only for now. | -- | — |
+| `wifi-densepose-geo` | Geospatial context (Sentinel-2 tiles, SRTM elevation, OSM, weather, night-mode). Workspace-only for now. | -- | — |

 All crates integrate with [RuVector v2.0.4](https://github.com/ruvnet/ruvector) — see [AI Backbone](#ai-backbone-ruvector) below.

-**[rUv Neural](rust-port/wifi-densepose-rs/crates/ruv-neural/)** — A separate 12-crate workspace for brain network topology analysis, neural decoding, and medical sensing. See [rUv Neural](#ruv-neural) in Models & Training.
+**[rUv Neural](v2/crates/ruv-neural/)** — A separate 12-crate workspace for brain network topology analysis, neural decoding, and medical sensing. See [rUv Neural](#ruv-neural) in Models & Training.

 </details>

@ -753,7 +1050,7 @@ The neural pipeline uses a graph transformer with cross-attention to map CSI fea
 | [RVF Model Container](#rvf-model-container) | Binary packaging with Ed25519 signing, progressive 3-layer loading, SIMD quantization | [ADR-023](docs/adr/ADR-023-trained-densepose-model-ruvector-pipeline.md) |
 | [Training & Fine-Tuning](#training--fine-tuning) | 8-phase pure Rust pipeline (7,832 lines), MM-Fi/Wi-Pose pre-training, 6-term composite loss, SONA LoRA | [ADR-023](docs/adr/ADR-023-trained-densepose-model-ruvector-pipeline.md) |
 | [RuVector Crates](#ruvector-crates) | 11 vendored Rust crates from [ruvector](https://github.com/ruvnet/ruvector): attention, min-cut, solver, GNN, HNSW, temporal compression, sparse inference | [GitHub](https://github.com/ruvnet/ruvector) · [Source](vendor/ruvector/) |
-| [rUv Neural](#ruv-neural) | 12-crate brain topology analysis ecosystem: neural decoding, quantum sensor integration, cognitive state classification, BCI output | [README](rust-port/wifi-densepose-rs/crates/ruv-neural/README.md) |
+| [rUv Neural](#ruv-neural) | 12-crate brain topology analysis ecosystem: neural decoding, quantum sensor integration, cognitive state classification, BCI output | [README](v2/crates/ruv-neural/README.md) |
 | [AI Backbone (RuVector)](#ai-backbone-ruvector) | 5 AI capabilities replacing hand-tuned thresholds: attention, graph min-cut, sparse solvers, tiered compression | [crates.io](https://crates.io/crates/wifi-densepose-ruvector) |
 | [Self-Learning WiFi AI (ADR-024)](#self-learning-wifi-ai-adr-024) | Contrastive self-supervised learning, room fingerprinting, anomaly detection, 55 KB model | [ADR-024](docs/adr/ADR-024-contrastive-csi-embedding-model.md) |
 | [Cross-Environment Generalization (ADR-027)](docs/adr/ADR-027-cross-environment-domain-generalization.md) | Domain-adversarial training, geometry-conditioned inference, hardware normalization, zero-shot deployment | [ADR-027](docs/adr/ADR-027-cross-environment-domain-generalization.md) |
@ -871,10 +1168,10 @@ Bundle verify:  7/7 checks PASS
 **Verify it yourself** (no hardware needed):
 ```bash
 # Run all tests
-cd rust-port/wifi-densepose-rs && cargo test --workspace --no-default-features
+cd v2 && cargo test --workspace --no-default-features

 # Run the deterministic proof
-python v1/data/proof/verify.py
+python archive/v1/data/proof/verify.py

 # Generate + verify the witness bundle
 bash scripts/generate-witness-bundle.sh
@ -1057,7 +1354,11 @@ Download a pre-built binary — no build toolchain needed:

 | Release | What's included | Tag |
 |---------|-----------------|-----|
-| [v0.5.0](https://github.com/ruvnet/RuView/releases/tag/v0.5.0-esp32) | **Stable** — mmWave sensor fusion ([ADR-063](docs/adr/ADR-063-mmwave-sensor-fusion.md)), auto-detect MR60BHA2/LD2410, 48-byte fused vitals, all v0.4.3.1 fixes | `v0.5.0-esp32` |
+| [v0.7.0](https://github.com/ruvnet/RuView/releases/tag/v0.7.0) | **Latest** — Camera-supervised WiFlow model (92.9% PCK@20), ground-truth training pipeline, ruvector optimizations | `v0.7.0` |
+| [v0.6.0](https://github.com/ruvnet/RuView/releases/tag/v0.6.0-esp32) | [Pre-trained models on HuggingFace](https://huggingface.co/ruv/ruview), 17 sensing apps, 51.6% contrastive improvement, 0.008ms inference | `v0.6.0-esp32` |
+| [v0.5.5](https://github.com/ruvnet/RuView/releases/tag/v0.5.5-esp32) | SNN + MinCut (#348 fix) + CNN spectrogram + WiFlow + multi-freq mesh + graph transformer | `v0.5.5-esp32` |
+| [v0.5.4](https://github.com/ruvnet/RuView/releases/tag/v0.5.4-esp32) | Cognitum Seed integration ([ADR-069](docs/adr/ADR-069-cognitum-seed-csi-pipeline.md)), 8-dim feature vectors, RVF store, witness chain, security hardening | `v0.5.4-esp32` |
+| [v0.5.0](https://github.com/ruvnet/RuView/releases/tag/v0.5.0-esp32) | mmWave sensor fusion ([ADR-063](docs/adr/ADR-063-mmwave-sensor-fusion.md)), auto-detect MR60BHA2/LD2410, 48-byte fused vitals, all v0.4.3.1 fixes | `v0.5.0-esp32` |
 | [v0.4.3.1](https://github.com/ruvnet/RuView/releases/tag/v0.4.3.1-esp32) | Fall detection fix ([#263](https://github.com/ruvnet/RuView/issues/263)), 4MB flash ([#265](https://github.com/ruvnet/RuView/issues/265)), watchdog fix ([#266](https://github.com/ruvnet/RuView/issues/266)) | `v0.4.3.1-esp32` |
 | [v0.4.1](https://github.com/ruvnet/RuView/releases/tag/v0.4.1-esp32) | CSI build fix, compile guard, AMOLED display, edge intelligence ([ADR-057](docs/adr/ADR-057-firmware-csi-build-guard.md)) | `v0.4.1-esp32` |
 | [v0.3.0-alpha](https://github.com/ruvnet/RuView/releases/tag/v0.3.0-alpha-esp32) | Alpha — adds on-device edge intelligence and WASM modules ([ADR-039](docs/adr/ADR-039-esp32-edge-intelligence.md), [ADR-040](docs/adr/ADR-040-wasm-programmable-sensing.md)) | `v0.3.0-alpha-esp32` |
@ -1103,6 +1404,34 @@ python firmware/esp32-csi-node/provision.py --port COM8 \

 Nodes can also hop across WiFi channels (1, 6, 11) to increase sensing bandwidth — configured via [ADR-029](docs/adr/ADR-029-ruvsense-multistatic-sensing-mode.md) channel hopping.

+### Cognitum Seed integration (ADR-069)
+
+Connect an ESP32 to a [Cognitum Seed](https://cognitum.one) ($131) for persistent vector storage, kNN search, cryptographic witness chain, and AI-accessible MCP proxy:
+
+```
+ESP32-S3 ($9)  ──UDP──>  Host bridge  ──HTTPS──>  Cognitum Seed ($15)
+  CSI capture              seed_csi_bridge.py         RVF vector store
+  8-dim features @ 1 Hz                              kNN similarity search
+  Vitals + presence                                  Ed25519 witness chain
+                                                     114-tool MCP proxy
+```
+
+```bash
+# 1. Provision ESP32 to send features to your laptop
+python firmware/esp32-csi-node/provision.py --port COM9 \
+  --ssid "YourWiFi" --password "secret" --target-ip 192.168.1.20 --target-port 5006
+
+# 2. Run the bridge (forwards to Seed via HTTPS)
+export SEED_TOKEN="your-pairing-token"
+python scripts/seed_csi_bridge.py \
+  --seed-url https://169.254.42.1:8443 --token "$SEED_TOKEN" --validate
+
+# 3. Check Seed stats
+python scripts/seed_csi_bridge.py --token "$SEED_TOKEN" --stats
+```
+
+The 8-dim feature vector captures: presence, motion, breathing rate, heart rate, phase variance, person count, fall detection, and RSSI — all normalized to [0.0, 1.0]. See [ADR-069](docs/adr/ADR-069-cognitum-seed-csi-pipeline.md) for the full architecture.
+
 ### On-device intelligence (v0.3.0-alpha)

 The alpha firmware can analyze signals locally and send compact results instead of raw data. This means the ESP32 works standalone — no server needed for basic sensing. Disabled by default for backward compatibility.
@ -1155,7 +1484,7 @@ See [firmware/esp32-csi-node/README.md](firmware/esp32-csi-node/README.md), [ADR
 | WASM Support | No | Yes |

 ```bash
-cd rust-port/wifi-densepose-rs
+cd v2
 cargo build --release
 cargo test --workspace
 cargo bench --package wifi-densepose-signal
@ -1452,7 +1781,7 @@ The full RuVector ecosystem includes 90+ crates. See [github.com/ruvnet/ruvector
 <details>
 <summary><a id="ruv-neural"></a><strong>🧠 rUv Neural</strong> — Brain topology analysis ecosystem for neural decoding and medical sensing</summary>

-[**rUv Neural**](rust-port/wifi-densepose-rs/crates/ruv-neural/README.md) is a 12-crate Rust ecosystem that extends RuView's signal processing into brain network topology analysis. It transforms neural magnetic field measurements from quantum sensors (NV diamond magnetometers, optically pumped magnetometers) into dynamic connectivity graphs, using minimum cut algorithms to detect cognitive state transitions in real time. The ecosystem includes crates for signal processing (`ruv-neural-signal`), graph construction (`ruv-neural-graph`), HNSW-indexed pattern memory (`ruv-neural-memory`), graph embeddings (`ruv-neural-embed`), cognitive state decoding (`ruv-neural-decoder`), and ESP32/WASM edge targets. Medical and research applications include early neurological disease detection via topology signatures, brain-computer interfaces, clinical neurofeedback, and non-invasive biomedical sensing -- bridging RuView's RF sensing architecture with the emerging field of quantum biomedical diagnostics.
+[**rUv Neural**](v2/crates/ruv-neural/README.md) is a 12-crate Rust ecosystem that extends RuView's signal processing into brain network topology analysis. It transforms neural magnetic field measurements from quantum sensors (NV diamond magnetometers, optically pumped magnetometers) into dynamic connectivity graphs, using minimum cut algorithms to detect cognitive state transitions in real time. The ecosystem includes crates for signal processing (`ruv-neural-signal`), graph construction (`ruv-neural-graph`), HNSW-indexed pattern memory (`ruv-neural-memory`), graph embeddings (`ruv-neural-embed`), cognitive state decoding (`ruv-neural-decoder`), and ESP32/WASM edge targets. Medical and research applications include early neurological disease detection via topology signatures, brain-computer interfaces, clinical neurofeedback, and non-invasive biomedical sensing -- bridging RuView's RF sensing architecture with the emerging field of quantum biomedical diagnostics.

 </details>

@ -1825,7 +2154,7 @@ wifi-densepose tasks list               # List background tasks

 ```bash
 # Rust tests (primary — 542+ tests)
-cd rust-port/wifi-densepose-rs
+cd v2
 cargo test --workspace

 # Sensing server tests (229 tests)
@ -1835,7 +2164,7 @@ cargo test -p wifi-densepose-sensing-server
 ./target/release/sensing-server --benchmark

 # Python tests
-python -m pytest v1/tests/ -v
+python -m pytest archive/v1/tests/ -v

 # Pipeline verification (no hardware needed)
 ./verify
@ -1929,7 +2258,7 @@ git clone https://github.com/ruvnet/RuView.git
 cd RuView

 # Rust development
-cd rust-port/wifi-densepose-rs
+cd v2
 cargo build --release
 cargo test --workspace

--- a/archive/README.md
+++ b/archive/README.md
@ -0,0 +1,74 @@
+# Archive
+
+Frozen, no-longer-active components of RuView preserved for historical
+reference, reproducibility, and load-bearing legacy paths the active
+codebase still depends on.
+
+## What lives here
+
+| Path | What it is | Why it's archived | Still load-bearing? |
+|------|------------|-------------------|---------------------|
+| `v1/` | Original Python implementation of RuView (CSI processing, hardware adapters, services, FastAPI) | Superseded by the Rust workspace at `v2/`; ~810× slower in benchmarks. Kept rather than deleted because the deterministic proof bundle (`v1/data/proof/`) is part of the pre-merge witness verification process per ADR-011 / ADR-028. | **Yes — for the proof bundle only.** Active code lives in `v2/`. |
+
+## What "archived" means
+
+- **Do not add new features here.** New work goes in `v2/`.
+- **Do not refactor or modernize the archived code beyond what is
+  strictly necessary** to keep the load-bearing paths working. The
+  Python proof bundle is intentionally frozen so that its SHA-256
+  reproducibility holds across releases (per ADR-028's witness
+  verification requirement).
+- **Bug fixes inside archived code are allowed** when the bug affects a
+  still-load-bearing path (currently: only the Python proof). All
+  other "bugs" in archived code are out-of-scope — they are part of
+  the historical record and any fix would unnecessarily churn the
+  witness hashes.
+- **CI continues to verify the load-bearing paths.**
+  `.github/workflows/verify-pipeline.yml` runs the Python proof on
+  every push and PR; if you change anything inside `archive/v1/src/`
+  or `archive/v1/data/proof/`, expect the determinism check to flag
+  it.
+
+## Quick reference for the load-bearing paths
+
+```bash
+# Run the deterministic Python proof (must print VERDICT: PASS)
+python archive/v1/data/proof/verify.py
+
+# Regenerate the expected hash (only if numpy/scipy version legitimately changed)
+python archive/v1/data/proof/verify.py --generate-hash
+
+# Run the full Python test suite (legacy, still maintained)
+cd archive/v1&& python -m pytest tests/ -x -q
+```
+
+## Why we keep `v1/` rather than delete it
+
+1. **Trust kill-switch.** The proof at `v1/data/proof/verify.py` feeds
+   a known reference signal through the full pipeline and hashes the
+   output. If the active code's behavior drifts, the hash changes and
+   CI fails. This is what stops accidental regression in the science
+   layer of the codebase.
+
+2. **Witness verification.** ADR-028's witness-bundle process bundles
+   the proof, the rust workspace test results, and firmware hashes
+   into a tarball recipients can self-verify. Removing v1 would break
+   that chain.
+
+3. **Historical reference.** ADR-011 documents the "no mocks in
+   production code" decision; the original violations and their fixes
+   live in this Python codebase. The ADRs reference these paths.
+
+If the time comes to retire the proof bundle (e.g., a Rust port of
+the proof exists and the Python version is no longer canonical), the
+right move is a single follow-up that simultaneously: ports the
+witness-bundle process, updates `verify-pipeline.yml`, and either
+deletes `archive/v1/` or moves it to a separate read-only repository.
+That decision belongs in its own ADR.
+
+## See also
+
+- `docs/adr/ADR-011-python-proof-of-reality-mock-elimination.md`
+- `docs/adr/ADR-028-esp32-capability-audit.md`
+- `archive/v1/data/proof/README.md` (if present)
+- `docs/WITNESS-LOG-028.md`
--- a/archive/v1/README.md
+++ b/archive/v1/README.md
@ -51,4 +51,4 @@ pytest tests/

 ## Note

-This is the legacy Python implementation. For the new Rust implementation with improved performance, see `/rust-port/wifi-densepose-rs/`.
+This is the legacy Python implementation. For the new Rust implementation with improved performance, see `/v2/`.
--- a/archive/v1/init.py
+++ b/archive/v1/init.py
--- a/archive/v1/data/proof/expected_features.sha256
+++ b/archive/v1/data/proof/expected_features.sha256
--- a/archive/v1/data/proof/generate_reference_signal.py
+++ b/archive/v1/data/proof/generate_reference_signal.py
--- a/archive/v1/data/proof/sample_csi_data.json
+++ b/archive/v1/data/proof/sample_csi_data.json
--- a/archive/v1/data/proof/sample_csi_meta.json
+++ b/archive/v1/data/proof/sample_csi_meta.json
--- a/archive/v1/data/proof/verify.py
+++ b/archive/v1/data/proof/verify.py
--- a/archive/v1/data/test_wifi_densepose.db
+++ b/archive/v1/data/test_wifi_densepose.db
--- a/archive/v1/data/wifi_densepose_fallback.db
+++ b/archive/v1/data/wifi_densepose_fallback.db
--- a/archive/v1/docs/api-endpoints-summary.md
+++ b/archive/v1/docs/api-endpoints-summary.md
--- a/archive/v1/docs/api-test-results.md
+++ b/archive/v1/docs/api-test-results.md
--- a/archive/v1/docs/api/rest-endpoints.md
+++ b/archive/v1/docs/api/rest-endpoints.md
--- a/archive/v1/docs/api/websocket-api.md
+++ b/archive/v1/docs/api/websocket-api.md
--- a/archive/v1/docs/api_reference.md
+++ b/archive/v1/docs/api_reference.md
--- a/archive/v1/docs/deployment.md
+++ b/archive/v1/docs/deployment.md
--- a/archive/v1/docs/deployment/README.md
+++ b/archive/v1/docs/deployment/README.md
--- a/archive/v1/docs/developer/architecture-overview.md
+++ b/archive/v1/docs/developer/architecture-overview.md
--- a/archive/v1/docs/developer/contributing.md
+++ b/archive/v1/docs/developer/contributing.md
--- a/archive/v1/docs/developer/deployment-guide.md
+++ b/archive/v1/docs/developer/deployment-guide.md
--- a/archive/v1/docs/developer/testing-guide.md
+++ b/archive/v1/docs/developer/testing-guide.md
--- a/archive/v1/docs/implementation-plan.md
+++ b/archive/v1/docs/implementation-plan.md
--- a/archive/v1/docs/integration/README.md
+++ b/archive/v1/docs/integration/README.md
--- a/archive/v1/docs/review/comprehensive-system-review.md
+++ b/archive/v1/docs/review/comprehensive-system-review.md
--- a/archive/v1/docs/review/database-operations-findings.md
+++ b/archive/v1/docs/review/database-operations-findings.md
--- a/archive/v1/docs/review/hardware-integration-review.md
+++ b/archive/v1/docs/review/hardware-integration-review.md
--- a/archive/v1/docs/review/readme.md
+++ b/archive/v1/docs/review/readme.md
--- a/archive/v1/docs/security-features.md
+++ b/archive/v1/docs/security-features.md
--- a/archive/v1/docs/troubleshooting.md
+++ b/archive/v1/docs/troubleshooting.md
--- a/archive/v1/docs/user-guide/api-reference.md
+++ b/archive/v1/docs/user-guide/api-reference.md
--- a/archive/v1/docs/user-guide/configuration.md
+++ b/archive/v1/docs/user-guide/configuration.md
--- a/archive/v1/docs/user-guide/getting-started.md
+++ b/archive/v1/docs/user-guide/getting-started.md
--- a/archive/v1/docs/user-guide/troubleshooting.md
+++ b/archive/v1/docs/user-guide/troubleshooting.md
--- a/archive/v1/docs/user_guide.md
+++ b/archive/v1/docs/user_guide.md
--- a/archive/v1/requirements-lock.txt
+++ b/archive/v1/requirements-lock.txt
--- a/archive/v1/scripts/api_test_results_20250607_122720.json
+++ b/archive/v1/scripts/api_test_results_20250607_122720.json
--- a/archive/v1/scripts/api_test_results_20250607_122856.json
+++ b/archive/v1/scripts/api_test_results_20250607_122856.json
--- a/archive/v1/scripts/api_test_results_20250607_123111.json
+++ b/archive/v1/scripts/api_test_results_20250607_123111.json
--- a/archive/v1/scripts/api_test_results_20250609_161617.json
+++ b/archive/v1/scripts/api_test_results_20250609_161617.json
--- a/archive/v1/scripts/api_test_results_20250609_162928.json
+++ b/archive/v1/scripts/api_test_results_20250609_162928.json
--- a/archive/v1/scripts/test_api_endpoints.py
+++ b/archive/v1/scripts/test_api_endpoints.py
--- a/archive/v1/scripts/test_monitoring.py
+++ b/archive/v1/scripts/test_monitoring.py
--- a/archive/v1/scripts/test_websocket_streaming.py
+++ b/archive/v1/scripts/test_websocket_streaming.py
--- a/archive/v1/scripts/validate-deployment.sh
+++ b/archive/v1/scripts/validate-deployment.sh
--- a/archive/v1/scripts/validate-integration.sh
+++ b/archive/v1/scripts/validate-integration.sh
--- a/archive/v1/setup.py
+++ b/archive/v1/setup.py
--- a/archive/v1/src/init.py
+++ b/archive/v1/src/init.py
--- a/archive/v1/src/api/init.py
+++ b/archive/v1/src/api/init.py
--- a/archive/v1/src/api/dependencies.py
+++ b/archive/v1/src/api/dependencies.py
--- a/archive/v1/src/api/main.py
+++ b/archive/v1/src/api/main.py
@ -17,7 +17,7 @@ from starlette.exceptions import HTTPException as StarletteHTTPException

 from src.config.settings import get_settings
 from src.config.domains import get_domain_config
-from src.api.routers import pose, stream, health
+from src.api.routers import pose, stream, health, auth
 from src.api.middleware.auth import AuthMiddleware
 from src.api.middleware.rate_limit import RateLimitMiddleware
 from src.api.dependencies import get_pose_service, get_stream_service, get_hardware_service
@ -263,6 +263,12 @@ app.include_router(
    tags=["Streaming"]
 )

+app.include_router(
+    auth.router,
+    prefix=f"{settings.api_prefix}",
+    tags=["Authentication"]
+)
+

 # Root endpoint
@app.get("/")
--- a/archive/v1/src/api/middleware/init.py
+++ b/archive/v1/src/api/middleware/init.py
--- a/archive/v1/src/api/middleware/auth.py
+++ b/archive/v1/src/api/middleware/auth.py
@ -189,7 +189,11 @@ class AuthMiddleware(BaseHTTPMiddleware):
                self.settings.secret_key,
                algorithms=[self.settings.jwt_algorithm]
            )
-            
+
+            # Check token blacklist (logout invalidation)
+            if token_blacklist.is_blacklisted(token):
+                raise ValueError("Token has been revoked")
+
            # Extract user information
            user_id = payload.get("sub")
            if not user_id:
--- a/archive/v1/src/api/middleware/rate_limit.py
+++ b/archive/v1/src/api/middleware/rate_limit.py
--- a/archive/v1/src/api/routers/init.py
+++ b/archive/v1/src/api/routers/init.py
@ -0,0 +1,7 @@
+"""
+API routers package
+"""
+
+from . import pose, stream, health, auth
+
+__all__ = ["pose", "stream", "health", "auth"]
--- a/archive/v1/src/api/routers/auth.py
+++ b/archive/v1/src/api/routers/auth.py
@ -0,0 +1,32 @@
+"""
+Authentication router for WiFi-DensePose API.
+Provides logout (token blacklisting) endpoint.
+"""
+
+import logging
+from typing import Optional
+
+from fastapi import APIRouter, Request, HTTPException, status
+
+from src.api.middleware.auth import token_blacklist
+
+logger = logging.getLogger(__name__)
+
+router = APIRouter(prefix="/auth", tags=["auth"])
+
+
+@router.post("/logout")
+async def logout(request: Request):
+    """Logout by blacklisting the current Bearer token."""
+    auth_header = request.headers.get("authorization")
+    if not auth_header or not auth_header.startswith("Bearer "):
+        raise HTTPException(
+            status_code=status.HTTP_401_UNAUTHORIZED,
+            detail="Missing or invalid Authorization header",
+        )
+
+    token = auth_header.split(" ", 1)[1]
+    token_blacklist.add_token(token)
+    logger.info("Token blacklisted via /auth/logout")
+
+    return {"success": True, "message": "Token revoked"}
--- a/archive/v1/src/api/routers/health.py
+++ b/archive/v1/src/api/routers/health.py
--- a/archive/v1/src/api/routers/pose.py
+++ b/archive/v1/src/api/routers/pose.py
@ -137,7 +137,7 @@ async def get_current_pose_estimation(
        logger.error(f"Error in pose estimation: {e}")
        raise HTTPException(
            status_code=500,
-            detail=f"Pose estimation failed: {str(e)}"
+            detail="An internal error occurred. Please try again later."
        )


@ -174,7 +174,7 @@ async def analyze_pose_data(
        logger.error(f"Error in pose analysis: {e}")
        raise HTTPException(
            status_code=500,
-            detail=f"Pose analysis failed: {str(e)}"
+            detail="An internal error occurred. Please try again later."
        )


@ -208,7 +208,7 @@ async def get_zone_occupancy(
        logger.error(f"Error getting zone occupancy: {e}")
        raise HTTPException(
            status_code=500,
-            detail=f"Failed to get zone occupancy: {str(e)}"
+            detail="An internal error occurred. Please try again later."
        )


@ -232,7 +232,7 @@ async def get_zones_summary(
        logger.error(f"Error getting zones summary: {e}")
        raise HTTPException(
            status_code=500,
-            detail=f"Failed to get zones summary: {str(e)}"
+            detail="An internal error occurred. Please try again later."
        )


@ -285,7 +285,7 @@ async def get_historical_data(
        logger.error(f"Error getting historical data: {e}")
        raise HTTPException(
            status_code=500,
-            detail=f"Failed to get historical data: {str(e)}"
+            detail="An internal error occurred. Please try again later."
        )


@ -313,7 +313,7 @@ async def get_detected_activities(
        logger.error(f"Error getting activities: {e}")
        raise HTTPException(
            status_code=500,
-            detail=f"Failed to get activities: {str(e)}"
+            detail="An internal error occurred. Please try again later."
        )


@ -357,7 +357,7 @@ async def calibrate_pose_system(
        logger.error(f"Error starting calibration: {e}")
        raise HTTPException(
            status_code=500,
-            detail=f"Failed to start calibration: {str(e)}"
+            detail="An internal error occurred. Please try again later."
        )


@ -383,7 +383,7 @@ async def get_calibration_status(
        logger.error(f"Error getting calibration status: {e}")
        raise HTTPException(
            status_code=500,
-            detail=f"Failed to get calibration status: {str(e)}"
+            detail="An internal error occurred. Please try again later."
        )


@ -416,5 +416,5 @@ async def get_pose_statistics(
        logger.error(f"Error getting statistics: {e}")
        raise HTTPException(
            status_code=500,
-            detail=f"Failed to get statistics: {str(e)}"
+            detail="An internal error occurred. Please try again later."
        )
--- a/archive/v1/src/api/routers/stream.py
+++ b/archive/v1/src/api/routers/stream.py
@ -2,6 +2,7 @@
 WebSocket streaming API endpoints
 """

+import asyncio
 import json
 import logging
 from typing import Dict, List, Optional, Any
@ -71,26 +72,55 @@ async def websocket_pose_stream(
    zone_ids: Optional[str] = Query(None, description="Comma-separated zone IDs"),
    min_confidence: float = Query(0.5, ge=0.0, le=1.0),
    max_fps: int = Query(30, ge=1, le=60),
-    token: Optional[str] = Query(None, description="Authentication token")
 ):
    """WebSocket endpoint for real-time pose data streaming."""
    client_id = None
-    
+
    try:
        # Accept WebSocket connection
        await websocket.accept()
-        
-        # Check authentication if enabled
+
+        # First-message authentication (CWE-598 fix: no JWT in URL)
        from src.config.settings import get_settings
        settings = get_settings()
-        
-        if settings.enable_authentication and not token:
-            await websocket.send_json({
-                "type": "error",
-                "message": "Authentication token required"
-            })
-            await websocket.close(code=1008)
-            return
+
+        if settings.enable_authentication:
+            try:
+                raw = await asyncio.wait_for(websocket.receive_text(), timeout=10.0)
+                auth_msg = json.loads(raw)
+                if auth_msg.get("type") != "auth" or not auth_msg.get("token"):
+                    await websocket.send_json({
+                        "type": "error",
+                        "message": "First message must be {\"type\": \"auth\", \"token\": \"<jwt>\"}"
+                    })
+                    await websocket.close(code=1008)
+                    return
+                # Verify the token
+                from src.middleware.auth import get_auth_middleware
+                auth_middleware = get_auth_middleware(settings)
+                try:
+                    auth_middleware.token_manager.verify_token(auth_msg["token"])
+                except Exception:
+                    await websocket.send_json({
+                        "type": "error",
+                        "message": "Invalid or expired authentication token"
+                    })
+                    await websocket.close(code=1008)
+                    return
+            except asyncio.TimeoutError:
+                await websocket.send_json({
+                    "type": "error",
+                    "message": "Authentication timeout: no auth message received within 10 seconds"
+                })
+                await websocket.close(code=1008)
+                return
+            except (json.JSONDecodeError, Exception) as e:
+                await websocket.send_json({
+                    "type": "error",
+                    "message": "Invalid authentication message format"
+                })
+                await websocket.close(code=1008)
+                return
        
        # Parse zone IDs
        zone_list = None
@ -157,25 +187,53 @@ async def websocket_events_stream(
    websocket: WebSocket,
    event_types: Optional[str] = Query(None, description="Comma-separated event types"),
    zone_ids: Optional[str] = Query(None, description="Comma-separated zone IDs"),
-    token: Optional[str] = Query(None, description="Authentication token")
 ):
    """WebSocket endpoint for real-time event streaming."""
    client_id = None
-    
+
    try:
        await websocket.accept()
-        
-        # Check authentication if enabled
+
+        # First-message authentication (CWE-598 fix: no JWT in URL)
        from src.config.settings import get_settings
        settings = get_settings()
-        
-        if settings.enable_authentication and not token:
-            await websocket.send_json({
-                "type": "error",
-                "message": "Authentication token required"
-            })
-            await websocket.close(code=1008)
-            return
+
+        if settings.enable_authentication:
+            try:
+                raw = await asyncio.wait_for(websocket.receive_text(), timeout=10.0)
+                auth_msg = json.loads(raw)
+                if auth_msg.get("type") != "auth" or not auth_msg.get("token"):
+                    await websocket.send_json({
+                        "type": "error",
+                        "message": "First message must be {\"type\": \"auth\", \"token\": \"<jwt>\"}"
+                    })
+                    await websocket.close(code=1008)
+                    return
+                from src.middleware.auth import get_auth_middleware
+                auth_middleware = get_auth_middleware(settings)
+                try:
+                    auth_middleware.token_manager.verify_token(auth_msg["token"])
+                except Exception:
+                    await websocket.send_json({
+                        "type": "error",
+                        "message": "Invalid or expired authentication token"
+                    })
+                    await websocket.close(code=1008)
+                    return
+            except asyncio.TimeoutError:
+                await websocket.send_json({
+                    "type": "error",
+                    "message": "Authentication timeout: no auth message received within 10 seconds"
+                })
+                await websocket.close(code=1008)
+                return
+            except (json.JSONDecodeError, Exception) as e:
+                await websocket.send_json({
+                    "type": "error",
+                    "message": "Invalid authentication message format"
+                })
+                await websocket.close(code=1008)
+                return
        
        # Parse parameters
        event_list = None
@ -294,7 +352,7 @@ async def get_stream_status(
        logger.error(f"Error getting stream status: {e}")
        raise HTTPException(
            status_code=500,
-            detail=f"Failed to get stream status: {str(e)}"
+            detail="An internal error occurred. Please try again later."
        )


@ -324,7 +382,7 @@ async def start_streaming(
        logger.error(f"Error starting streaming: {e}")
        raise HTTPException(
            status_code=500,
-            detail=f"Failed to start streaming: {str(e)}"
+            detail="An internal error occurred. Please try again later."
        )


@ -349,7 +407,7 @@ async def stop_streaming(
        logger.error(f"Error stopping streaming: {e}")
        raise HTTPException(
            status_code=500,
-            detail=f"Failed to stop streaming: {str(e)}"
+            detail="An internal error occurred. Please try again later."
        )


@ -371,7 +429,7 @@ async def get_connected_clients(
        logger.error(f"Error getting connected clients: {e}")
        raise HTTPException(
            status_code=500,
-            detail=f"Failed to get connected clients: {str(e)}"
+            detail="An internal error occurred. Please try again later."
        )


@ -403,7 +461,7 @@ async def disconnect_client(
        logger.error(f"Error disconnecting client: {e}")
        raise HTTPException(
            status_code=500,
-            detail=f"Failed to disconnect client: {str(e)}"
+            detail="An internal error occurred. Please try again later."
        )


@ -442,7 +500,7 @@ async def broadcast_message(
        logger.error(f"Error broadcasting message: {e}")
        raise HTTPException(
            status_code=500,
-            detail=f"Failed to broadcast message: {str(e)}"
+            detail="An internal error occurred. Please try again later."
        )


@ -461,5 +519,5 @@ async def get_streaming_metrics():
        logger.error(f"Error getting streaming metrics: {e}")
        raise HTTPException(
            status_code=500,
-            detail=f"Failed to get streaming metrics: {str(e)}"
+            detail="An internal error occurred. Please try again later."
        )
--- a/archive/v1/src/api/websocket/init.py
+++ b/archive/v1/src/api/websocket/init.py
--- a/archive/v1/src/api/websocket/connection_manager.py
+++ b/archive/v1/src/api/websocket/connection_manager.py
--- a/archive/v1/src/api/websocket/pose_stream.py
+++ b/archive/v1/src/api/websocket/pose_stream.py
--- a/archive/v1/src/app.py
+++ b/archive/v1/src/app.py
--- a/archive/v1/src/cli.py
+++ b/archive/v1/src/cli.py
--- a/archive/v1/src/commands/start.py
+++ b/archive/v1/src/commands/start.py
--- a/archive/v1/src/commands/status.py
+++ b/archive/v1/src/commands/status.py
--- a/archive/v1/src/commands/stop.py
+++ b/archive/v1/src/commands/stop.py
--- a/archive/v1/src/config.py
+++ b/archive/v1/src/config.py
--- a/archive/v1/src/config/init.py
+++ b/archive/v1/src/config/init.py
--- a/archive/v1/src/config/domains.py
+++ b/archive/v1/src/config/domains.py
--- a/archive/v1/src/config/settings.py
+++ b/archive/v1/src/config/settings.py
--- a/archive/v1/src/core/init.py
+++ b/archive/v1/src/core/init.py
--- a/archive/v1/src/core/csi_processor.py
+++ b/archive/v1/src/core/csi_processor.py
@ -1,6 +1,7 @@
 """CSI data processor for WiFi-DensePose system using TDD approach."""

 import asyncio
+import itertools
 import logging
 import numpy as np
 from datetime import datetime, timezone
@ -293,7 +294,8 @@ class CSIProcessor:
        if count >= len(self.csi_history):
            return list(self.csi_history)
        else:
-            return list(self.csi_history)[-count:]
+            start = len(self.csi_history) - count
+            return list(itertools.islice(self.csi_history, start, len(self.csi_history)))
    
    def get_processing_statistics(self) -> Dict[str, Any]:
        """Get processing statistics.
@ -410,8 +412,9 @@ class CSIProcessor:
            # Use cached mean-phase values (pre-computed in add_to_history)
            # Only take the last doppler_window frames for bounded cost
            window = min(len(self._phase_cache), self._doppler_window)
-            cache_list = list(self._phase_cache)
-            phase_matrix = np.array(cache_list[-window:])
+            start = len(self._phase_cache) - window
+            cache_list = list(itertools.islice(self._phase_cache, start, len(self._phase_cache)))
+            phase_matrix = np.array(cache_list)

            # Temporal phase differences between consecutive frames
            phase_diffs = np.diff(phase_matrix, axis=0)
--- a/archive/v1/src/core/phase_sanitizer.py
+++ b/archive/v1/src/core/phase_sanitizer.py
--- a/archive/v1/src/core/router_interface.py
+++ b/archive/v1/src/core/router_interface.py
--- a/archive/v1/src/database/connection.py
+++ b/archive/v1/src/database/connection.py
--- a/archive/v1/src/database/migrations/001_initial.py
+++ b/archive/v1/src/database/migrations/001_initial.py
--- a/archive/v1/src/database/migrations/env.py
+++ b/archive/v1/src/database/migrations/env.py
--- a/archive/v1/src/database/migrations/script.py.mako
+++ b/archive/v1/src/database/migrations/script.py.mako
--- a/archive/v1/src/database/model_types.py
+++ b/archive/v1/src/database/model_types.py
--- a/archive/v1/src/database/models.py
+++ b/archive/v1/src/database/models.py
--- a/archive/v1/src/hardware/init.py
+++ b/archive/v1/src/hardware/init.py
--- a/archive/v1/src/hardware/csi_extractor.py
+++ b/archive/v1/src/hardware/csi_extractor.py
--- a/archive/v1/src/hardware/router_interface.py
+++ b/archive/v1/src/hardware/router_interface.py
--- a/archive/v1/src/logger.py
+++ b/archive/v1/src/logger.py
--- a/archive/v1/src/main.py
+++ b/archive/v1/src/main.py
--- a/archive/v1/src/middleware/auth.py
+++ b/archive/v1/src/middleware/auth.py
@ -56,6 +56,10 @@ class TokenManager:
        """Verify and decode JWT token."""
        try:
            payload = jwt.decode(token, self.secret_key, algorithms=[self.algorithm])
+            # Check token blacklist (logout invalidation)
+            from src.api.middleware.auth import token_blacklist
+            if token_blacklist.is_blacklisted(token):
+                raise AuthenticationError("Token has been revoked")
            return payload
        except JWTError as e:
            logger.warning(f"JWT verification failed: {e}")
@ -237,13 +241,7 @@ class AuthenticationMiddleware:
        """Authenticate the request and return user info."""
        # Try to get token from Authorization header
        authorization = request.headers.get("Authorization")
-        if not authorization:
-            # For WebSocket connections, try to get token from query parameters
-            if request.url.path.startswith("/ws"):
-                token = request.query_params.get("token")
-                if token:
-                    authorization = f"Bearer {token}"
-        
+
        if not authorization:
            if self._requires_auth(request):
                raise AuthenticationError("Missing authorization header")
--- a/archive/v1/src/middleware/cors.py
+++ b/archive/v1/src/middleware/cors.py
--- a/Show more
+++ b/Show more
				`@ -0,0 +1 @@`
				`{"intelligence":7,"timestamp":1774922079152}`