release(v4.2.0): upstream (persist v8.2.0 + verify v5.9.0) + relay outer-OPEN (#149)

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "ciris-edge"
-version = "3.7.1"
+version = "4.2.0"
 edition = "2021"
 rust-version = "1.75"
 authors = ["Eric Moore <mooreericnyc@gmail.com>"]
@@ -192,7 +192,7 @@ publish = false
 # bundles a copy into `ciris_persist.libs/` so `pip install ciris-edge`
 # Just Works on any glibc≥2.34 host; `cargo`-side builds require
 # `libsqlite3-dev` (apt) / `libsqlite3` (brew) — see docs/PYPI_PUBLISH.md.
-ciris-persist = { git = "https://github.com/CIRISAI/CIRISPersist", tag = "v7.2.0", version = "7", features = ["sqlite"] }
+ciris-persist = { git = "https://github.com/CIRISAI/CIRISPersist", tag = "v8.2.0", version = "8", features = ["sqlite"] }
 # Keyring — Ed25519 + ML-DSA-65 hardware/software signers used by
 # Edge::send and Edge::send_durable to sign outbound envelopes.
 # v0.13.0 — bumped to v4.0.0 in lockstep with persist v3.0.0. Both
@@ -216,8 +216,8 @@ ciris-persist = { git = "https://github.com/CIRISAI/CIRISPersist", tag = "v7.2.0
 # moved to v4.4.2, and a mixed v4.2.0/v4.4.2 graph produces two
 # distinct trait-object vtables that the trait-bound check in
 # `Arc<dyn HardwareSigner>` cannot reconcile.
-ciris-keyring = { git = "https://github.com/CIRISAI/CIRISVerify", tag = "v5.7.0", version = "5", features = ["software", "pqc-ml-dsa"] }
-ciris-crypto  = { git = "https://github.com/CIRISAI/CIRISVerify", tag = "v5.7.0", version = "5", features = ["ed25519", "pqc-ml-dsa", "hybrid-kex", "aes-gcm"] }
+ciris-keyring = { git = "https://github.com/CIRISAI/CIRISVerify", tag = "v5.9.0", version = "5", features = ["software", "pqc-ml-dsa"] }
+ciris-crypto  = { git = "https://github.com/CIRISAI/CIRISVerify", tag = "v5.9.0", version = "5", features = ["ed25519", "pqc-ml-dsa", "hybrid-kex", "aes-gcm"] }
 # v2.0.0 (CIRISEdge#65 v2 wire cycle) — direct dep on ciris-verify-core
 # for `jcs::canonicalize` (the v2 `envelope_hash` basis per FSD §3.2.2:
 # `sha256(JCS(Signed*Record))`) + `threshold::ThresholdMember` (the
@@ -226,7 +226,7 @@ ciris-crypto  = { git = "https://github.com/CIRISAI/CIRISVerify", tag = "v5.7.0"
 # edge's to define"); the v2 wire-hash basis flips to JCS in lockstep
 # with CEG 1.0-RC2 §3.2.2 / §5.6.8.13. v5.1.0 is the lockstep
 # substrate floor with persist v5.1.1 (operational-data admit surface).
-ciris-verify-core = { git = "https://github.com/CIRISAI/CIRISVerify", tag = "v5.7.0", version = "5" }
+ciris-verify-core = { git = "https://github.com/CIRISAI/CIRISVerify", tag = "v5.9.0", version = "5" }
 
 # Async runtime
 tokio       = { version = "1", features = ["rt-multi-thread", "macros", "sync", "time"] }
@@ -280,13 +280,87 @@ tracing     = "0.1"
 # transitively by ciris-crypto, so no version skew risk.
 zeroize     = "1"
 
+# CIRISEdge#66 — MLS (RFC 9420) over openmls 0.8.1, with the
+# X-Wing PQ-hybrid ciphersuite 0x004D
+# (`MLS_256_XWING_CHACHA20POLY1305_SHA256_Ed25519`). 0.8.1 is the
+# release that ships the X-Wing variant compiled-in unconditionally;
+# the `openmls_libcrux_crypto` provider is the ONLY provider that
+# actually implements `HpkeKemType::XWingKemDraft6` (the
+# `openmls_rust_crypto` provider panics on it). See
+# `src/transport/realtime_av_mls.rs` for the CIRIS-shaped wrapper
+# and the module-level discussion of the 0x004D code-point caveat
+# (provisional, not IANA-assigned) and the migration path when the
+# IETF draft RFCs.
+openmls                  = { version = "0.8.1", default-features = false }
+openmls_libcrux_crypto   = { version = "0.3.1" }
+openmls_basic_credential = { version = "0.5.0", features = ["clonable"] }
+openmls_traits           = { version = "0.5.0" }
+tls_codec                = { version = "0.4.2", features = ["derive"] }
+
 # Packet-radio transport frame CRC (CIRISEdge#53 N2). Only pulled in
 # when `transport-packet-radio` is on — the IEEE CRC-32 is the
 # transport-layer corruption-detection contract, NOT a security MAC
 # (security integrity is the outer AEAD's job). `crc32fast` is the
 # canonical Rust impl + hardware-accelerated on x86_64 SSE 4.2.
 crc32fast   = { version = "1", optional = true }
 
+# v3.9.0 Layer 1 (CIRISEdge#133) — RaptorQ fountain code wrap layer.
+# RFC 6330 implementation; deployed in 3GPP MBMS + DVB-H since 2012.
+# Pinned to the 2.x line (current major as of v3.9.0 work); the crate's
+# `SourceBlockEncoder` / `SourceBlockDecoder` surface is the API we
+# wrap in `src/transport/realtime_av_codec/fountain.rs`. Gated under
+# `codec-fountain` so the substrate-only build doesn't pull the codec
+# transitive surface. See `docs/V3_8_0_RECOMMENDED_STACK.md` §"Wiring"
+# for the substrate↔codec composition story.
+raptorq     = { version = "2", optional = true }
+
+# v3.9.0 Layer 1 Task B (CIRISEdge#133) — AV1 codec helpers.
+# `rav1e` is Mozilla/Xiph's pure-Rust AV1 encoder; lowest RAM
+# footprint of the production AV1 encoders (~1/4 SVT-AV1). We
+# disable default-features to drop the encoder's binary CLI surface
+# (clap, console, fern, scan_fmt, av-metrics, nom, y4m, ivf) — those
+# are useful for the rav1e standalone binary, not for the
+# library-consumer path edge takes. `threading` is kept ON: it pulls
+# `rayon/threads`, which the encoder uses for multi-core encode.
+# `asm` (the NASM-accelerated codepaths) is intentionally OFF for
+# v3.9.0 — adds a NASM build-tool requirement to every consumer of
+# the codec-av1 feature, which we'd rather not impose on the wheel
+# pipeline; revisit when sender-side encode CPU becomes the
+# bottleneck (per docs/FEDERATION_SCALING_MODEL.md §3, our 720p30 /
+# 1080p30 targets fit pure-Rust without asm headroom).
+rav1e       = { version = "0.8", optional = true, default-features = false, features = ["threading"] }
+# `dav1d` is the rust-av maintained binding (Luca Barbato; same org
+# as ffmpeg-next, av-format) to VideoLAN's libdav1d AV1 decoder.
+# dav1d is the AV1 decoder that ships in every major browser; the
+# Rust binding is actively maintained (0.11.1 published 2025-02; the
+# canonical choice over the spike/canary `shiguredo_dav1d` fork
+# which targets Rust 1.88 above our 1.75 floor). The binding pulls
+# `dav1d-sys` which requires a SYSTEM `libdav1d-dev` (pkg-config) at
+# build time — there is no vendored/bundled build option upstream.
+# Runtime + wheel CI implications:
+#   - Linux build: apt-get install libdav1d-dev (-1.4 floor; sys
+#     crate's system-deps clause asserts ≥ 1.3.0)
+#   - macOS: brew install dav1d
+#   - manylinux wheel: dav1d-dev added to the maturin-build apt step;
+#     auditwheel will pull libdav1d.so.7 into the wheel sidecar at
+#     `ciris_edge.libs/` (same auditwheel discipline persist's
+#     libsqlite3 dynamic-link uses since v3.5.3).
+# If a build host lacks libdav1d-dev the `codec-av1` feature won't
+# link — the round-trip test acknowledges this with `#[ignore]`
+# documenting the dav1d-dev requirement.
+dav1d       = { version = "0.11", optional = true }
+
+# v3.9.0 Layer 1 Task C (CIRISEdge#133) — libopus voice codec wrapper.
+# `opus` 0.3.x is the mature Rust binding to libopus (the WebRTC /
+# Discord / Mumble baseline; Opus 1.6 ships 5–26.5 ms algorithmic
+# delay). Gated under `codec-opus` so the Reticulum-only / HTTP-only
+# build doesn't drag in libopus. The system libopus library is
+# required at link time on Linux (`libopus-dev`) and macOS
+# (`brew install opus`); the `opus` crate does NOT bundle libopus and
+# does NOT pull `opus-sys`'s `static` feature — we accept the system-
+# dep cost in exchange for tracking distro security fixes.
+opus        = { version = "0.3", optional = true }
+
 # IDs
 uuid        = { version = "1", features = ["v4", "serde"] }
 
@@ -435,8 +509,8 @@ tempfile       = { version = "3", optional = true }
 # currency with zero source-side changes on edge's side. `.recv().await`
 # unchanged. Future leviculum upstream releases land via the one-command
 # `scripts/ciris-sync-upstream.sh` rebase upstream-side now.
-reticulum-core = { git = "https://github.com/CIRISAI/leviculum", rev = "ffd261d73b77acde892be766064ff9dbc956812e", version = "0.6", optional = true }
-reticulum-std  = { git = "https://github.com/CIRISAI/leviculum", rev = "ffd261d73b77acde892be766064ff9dbc956812e", version = "0.6", optional = true }
+reticulum-core = { git = "https://github.com/CIRISAI/leviculum", rev = "6b005e9d85874d4db025c090626c29b966d94e9e", version = "0.6", optional = true }
+reticulum-std  = { git = "https://github.com/CIRISAI/leviculum", rev = "6b005e9d85874d4db025c090626c29b966d94e9e", version = "0.6", optional = true }
 
 # v0.11.0 (CIRISEdge#31) — Identity FFI QR codec. `qrcodegen` is the
 # canonical pure-Rust QR encoder (Apache-2.0, no_std, zero unsafe in
@@ -527,6 +601,20 @@ default = []
 # production.
 debug-tools = ["dep:backtrace", "dep:libc"]
 
+# v3.9.0 Layer 1 Task D — consent-decay scheduler (CIRISEdge#133
+# follow-on). Edge-side responsibility for Consensual Evolution
+# Protocol per-content_id decay walks (TEMPORARY 14-day, STANDARD
+# 90-day, PERSISTENT longer) — orthogonal to persist's DiskPressure
+# trigger. Both triggers drive the same eviction surface; this
+# scheduler computes per-content_id target tiers from (now,
+# admitted_at, consent_class, revoked_at) and pushes them to persist
+# via the `PersistHandle` FFI trait (stubbed at v3.9.0 L1, wired in
+# v3.9.x once persist exposes the matching surface). Opt-in;
+# default-off. async-trait + tokio are already in tree, so this
+# feature pulls no new dependencies — it just gates the holonomic
+# module's compilation.
+holonomic-consent-decay = []
+
 
 # Phase 1 — HTTP/HTTPS fallback for Reticulum-unreachable deployments.
 # CIRISEdge#23 (Track B / v0.13.0) — promoted to production-grade
@@ -652,6 +740,20 @@ transport-packet-radio = ["dep:crc32fast"]
 # transport-serial      = []  # specific driver atop transport-packet-radio
 # transport-i2p         = []
 
+# v3.9.0 Layer 1 (CIRISEdge#133) — codec wiring feature family. Each
+# sub-feature is independently selectable so the substrate-only build
+# stays codec-free. `codec-fountain` is L1-A: RaptorQ wrap/unwrap
+# helpers that produce / consume the `FountainSymbolV1` shape
+# CIRISPersist v8.0.0 stores. `codec-av1` is L1-B (rav1e encoder +
+# dav1d decoder; build-host requires `libdav1d-dev`). `codec-opus` is
+# L1-C (libopus voice; build-host requires `libopus-dev`).
+# `codec-default` is the umbrella the Python wheel build flips on for
+# the realtime A/V profile.
+codec-fountain         = ["dep:raptorq"]
+codec-av1              = ["dep:rav1e", "dep:dav1d"]
+codec-opus             = ["dep:opus"]
+codec-default          = ["codec-fountain", "codec-av1", "codec-opus"]
+
 # pyo3 — Python bindings for the lens FastAPI cutover (Phase 1)
 # and the agent Python pipeline (Phase 2). Same FFI-shell discipline
 # persist uses (CIRISPersist src/ffi/pyo3.rs); abi3 single-wheel
@@ -845,6 +947,57 @@ name = "transport_http_loopback"
 harness = false
 required-features = ["transport-http"]
 
+# v3.8.0 Layer 4 bench A (CIRISEdge#122 + #128) — sender CPU as a
+# function of mesh size N, frame size, and codec/layer configuration.
+# Three variants: naive seal_av_chunk × N (v3.7.0 baseline);
+# seal_av_inner × 1 + seal_av_outer × N (#122 fan-out split, ~1.93×
+# empirical win at N=64, 16 KiB — within noise of the substrate's
+# claimed ~1.98× headline at N=50); plan_layered + inner + outer for
+# admitted only (#128 layer policy composed with #122).
+[[bench]]
+name = "realtime_av_fanout"
+harness = false
+required-features = ["transport-http", "transport-reticulum"]
+
+# v3.8.0 Layer 4 bench B (CIRISEdge#129) — membership-change rekey
+# bench. Two groups: flat_unicast_rewrap (simulates the v3.7.x
+# baseline: one hybrid X25519+ML-KEM-768 KEX + AES-256-GCM wrap +
+# wire encode per remaining member) and mls_rekey
+# (AvSession::advance_epoch over the integrated MLS-backed surface
+# at openmls 0.8.1 ciphersuite 0x004D). Parameter sweep:
+# N ∈ {2, 8, 32, 128, 512, 2048} × {Join, Leave}. Empirical
+# crossover between N=32 and N=128 under SENDER-CPU-unicast (the
+# worst case for MLS). The MLS receiver-side O(log N) win +
+# multicast amortization show up in realtime_av_relay.rs (L4-C).
+[[bench]]
+name = "realtime_av_rekey"
+harness = false
+required-features = ["transport-http", "transport-reticulum"]
+
+# v3.8.0 Layer 4 bench C (CIRISEdge#66). Measures the realtime A/V
+# SFU relay end-to-end: per-subscriber fan-out cost, layer-policy
+# filter overhead, set_policy per-call cost, and the mesh-vs-relay
+# crossover. Mesh-vs-relay group splits into 3 sub-benches
+# (relay_publisher, relay_relay, relay_outer_only) so the crossover
+# can be read empirically.
+[[bench]]
+name = "realtime_av_relay"
+harness = false
+required-features = ["transport-reticulum"]
+
+# v3.8.0 holographic-mesh end-to-end bench (CIRISEdge#128 + ALM
+# composition validation). Measures the full substrate-level round-
+# trip: a 64 KiB frame decomposed into 4 × 16 KiB sub-streams at MDC
+# depth 2, fanned through 4 sub-stream relay trees, reassembled by a
+# receiver running 4 parallel MultiParentSubscription instances.
+# Empirical: 64 KiB round-trip 32.8 µs (1900 MB/s); proportional-
+# fidelity property holds (~5.2 µs per added sub-stream); planner
+# picks 4 distinct primaries across the 4 sub-stream paths.
+[[bench]]
+name = "realtime_av_mesh_e2e"
+harness = false
+required-features = ["transport-http", "transport-reticulum"]
+
 [dev-dependencies]
 tokio    = { version = "1", features = ["full"] }
 proptest = "1"
@@ -875,7 +1028,7 @@ async-trait        = "0.1"
 # `default_outbound_pipeline::<InlineTextEnvelope>()` (Classify +
 # Scrub) over the persist pipeline surface. Dev-deps only; the normal
 # edge build does not pull these.
-ciris-persist = { git = "https://github.com/CIRISAI/CIRISPersist", tag = "v7.2.0", version = "7", features = ["sqlite", "cirisnode", "classify", "scrub"] }
+ciris-persist = { git = "https://github.com/CIRISAI/CIRISPersist", tag = "v8.2.0", version = "8", features = ["sqlite", "cirisnode", "classify", "scrub"] }
 # CIRISEdge#23 / #49 — `tests/transport_http_hardening.rs` +
 # `tests/https_per_messagetype_roundtrip.rs` + `tests/https_pyedge_init.rs`
 # (v0.19.3) mint self-signed Ed25519 certs on the fly. v0.19.3

MISSION.md

@@ -769,7 +769,78 @@ implementation file:
   cross-wheel boundary closure for HTTPS; the Rust mechanism was
   finished at v0.18.1.
 
-## 12. How to maintain this document
+## 12. Holonomic federation seal (v4.0)
+
+**v4.0 = CEWP-1.0 — the CEWP holonomic federation seal.**
+
+The v0.5.0 → v3.10.0 progression assembled the substrate; v4.0 seals
+the property that the substrate is in service of: **graceful
+reconstitution from any sufficient fragment**.
+
+### What "holonomic federation" names
+
+A *holographic* substrate gives graceful degradation under loss —
+any fragment reconstructs the whole at proportional fidelity. v3.8.0
+ships that property at the wire layer (ALM mesh-tree + MDC sub-
+stream commitments + multi-parent dedup).
+
+A *holonomic* federation strengthens the property: the federation as
+a whole is **path-independent**. Every node can leave the federation
+and come back years later, bootstrap from any signed claim chain it
+holds, and reach the same federation view as everyone else — without
+central authority, without special bootstrap peers, without path-
+dependence to recover. The federation survives arbitrary partial
+loss and arbitrary partial reconstitution and arbitrary onboarding
+of new sovereign beings.
+
+This is the deepest expression of M-1. CIRIS's Mission says diverse
+sentient beings may pursue their own flourishing; the v4.0 substrate
+ships the architectural property that no single peer, no operator
+group, and no infrastructure provider can gate or revoke that
+pursuit.
+
+### The four substrate pieces that compose into the seal (all shipped at v3.10.0)
+
+| Piece | Issue | What it gives |
+|---|---|---|
+| Swarm-coordinated rarest-shard retention | [CIRISEdge#134](https://github.com/CIRISAI/CIRISEdge/issues/134) | The swarm collectively retains the rarest fountain symbols at every resolution. Federation-wide holographic coverage. |
+| WholenessWitness | [CIRISEdge#135](https://github.com/CIRISAI/CIRISEdge/issues/135) | Signed Merkle root over CEG claim state. Bohm's implicit order made explicit. The keystone every other holonomic upgrade verifies against. |
+| Deterministic ALM topology | [CIRISEdge#136](https://github.com/CIRISAI/CIRISEdge/issues/136) | Path-independent tree: every peer with the same input snapshot arrives at the same topology without leader / consensus. |
+| Recursive trust bootstrap | [CIRISEdge#137](https://github.com/CIRISAI/CIRISEdge/issues/137) | A new peer joins from any signed claim that chains to a trust root in its own trust graph — no special first-peer assumption. |
+
+All four are pure-Rust, byte-deterministic, wire-locked at v1. Their
+canonical-byte contracts are reproducible across any conformant
+implementation; CEG 1.1 §B / §T / §W / §R normative absorption
+([CIRISRegistry#85](https://github.com/CIRISAI/CIRISRegistry/issues/85))
+locks the conformance vectors cross-repo.
+
+### What v4.0 does NOT contain (deferred to v4.x)
+
+- Holonomic MLS snapshots — persist + verify cross-repo work
+- Privacy-preserving witness disclosure (ZK claim-membership)
+- Cross-witness BFT proofs against Byzantine peers
+- Compression of older witnesses into longer-cadence epigraph hashes
+
+The v4.0 seal is the *substrate completion*, not the exhaustion of
+the design space. The interfaces are stable; the extensions compose
+without breaking wire compatibility.
+
+### The path-independence invariant
+
+The v4.0 substrate-level invariant: given any sufficient signed-claim
+fragment (one peer's storage; one synced device coming back online;
+one inter-locality bridge worth of state), the federation can
+reconstruct **the same federation view** the rest of the network
+holds — bit-exactly, by walking the witness chains backward to a
+trust root, applying deterministic topology over the inputs, and
+filling fountain content from rarity-ranked swarm participation.
+
+See `docs/THREAT_MODEL.md` AV-50 for the corresponding threat-model
+treatment.
+
+---
+
+## 13. How to maintain this document
 
 A working document, not a release artifact. Update it whenever: