Famulus-Domus (internal codename: ZT-Edge-v3)
Famulus-Domus is the ecosystem node entry in the esphome.cloud
product matrix — a zero-trust IoT edge platform line. Internally and
in the codebase it has always been called ZT-Edge-v3, and the
authoritative PRD lives at aegis/.prd/ZT-Edge-v3/ (overview.md,
~2200 lines). This page is a manual-side primer; it does not
replace the PRD.
Current status: Preview. v3.0 targets 2026-Q4 for the core (Phase 0–6 + 11–13 MVP); v3.1 targets 2027-Q2 for the full feature set. The PRD is readable today; production deployments are not yet recommended.
One-line positioning
Run mTLS + SPIFFE + sidecar on a single ESP32 and put consumer smart home and industrial OT on the same zero-trust map.
It is the merger of two independently-solid PRDs:
Aegis ZT-Edge v2 (strong compliance + ZT depth, but thin data model
and WiFi-mesh-only coverage) and rshome-device-link v2 (strong typed
data model + protocol breadth, but security deferred and compliance
absent). The merge eliminates both strategic risks — rshome stops
being “the Rust clone of Home Assistant”, and Aegis stops being “a
WiFi-mesh-only ZT product”.
What it is not
| Easily confused with | Relationship |
|---|---|
| Home Assistant | A spiritual predecessor — but explicitly supersedes HA’s flat Entity/Domain/Feature model. Different audience too: declarative + GitOps homes, not UI-driven ones. |
| ZTNA (Zscaler / Cloudflare Access) | No — this product is not cloud-delivered. |
| Industrial SCADA | No — does not own hard-real-time PLC control (soft real-time ≤ 100 ms is fine). |
| A single-protocol bridge (zigbee2mqtt / ESPHome) | No — those are absorbed as adapters at L2. |
| SaaS | No. Self-hosted, local-first, LAN-first. |
What it solves
Every line below is individually addressed somewhere; together, no one does it:
- Full protocol spectrum: IP to non-IP (Zigbee / Z-Wave / BLE / Thread / Modbus)
- Strongly-typed capability contracts: DTDL v3-style Interface + Twin shadow
- Zero-trust depth: mTLS + SPIFFE + Rego policy + CAEP + MFA
- Three hardware tiers: ESP32-S3 → OpenWRT/Pi4 → x86 mini PC, one codebase
- Dual compliance stack: China (Dengbao L2/L3 + Mi-Ping + GM) and international (NIST 800-207 + CISA ZTMM)
- Self-hosted Matter fabric root: home data sovereignty
- External exposure: WoT Thing Description 1.1 + MCP, simultaneously
One codebase, two markets
v3.0 strategic decision: one codebase / one ADR set, differing only in wizard templates. Splitting into two products would cost ~70% code duplication and double the operations burden.
| Axis | Consumer Smart Home | Industrial OT / Compliance |
|---|---|---|
| Typical user | HomeLab players, Matter device owners, WASM integration authors, AI agent users | Small commercial spaces, China信创 SOEs, OT engineers, compliance auditors |
| Core needs | Data sovereignty, local-first, multi-protocol interop, self-hosted Matter fabric, GitOps | Dengbao L2/L3, Mi-Ping, protocol-aware policy (Modbus/MQTT/CoAP), dual control, audit-chain integrity |
compliance_mode | none | dengbao_l3 / gm_cert_mp |
crypto_suite | international_default | gm_rfc8998 / gm_tlcp_38636 |
| Typical hardware | Tier-M (Pi4 / OrangePi5) | Tier-L (x86 mini PC) |
| Loaded adapters | Matter / Zigbee / Z-Wave / HAP Bridge | Modbus / BACnet protocol-aware L4 |
Shared technical floor: bastion control plane, Policy engine, audit chain, Tier-S/M/L tiering, CAEP federation, northbound MCP, SPIFFE+DTMI identity.
GTM is split (sales channels, pricing, SLA, support contracts); the technology is not.
Ten-layer architecture
L10 External Agents / LLMs / Cloud Federation
MCP (DPoP+mTLS) / CAEP subscribe / NGSI-LD / Grafana / HAP / Apple
L9 Northbound gateway (MCP server + clawroom + auth middleware)
L8 Authorization & policy (Rego PEP + policy-input schema v1 + data_class)
L7 Semantics & topology (SAREF + Brick + QUDT subset / nested Space / Relationship)
L6 External exposure (WoT TD 1.1 auto-generation / HAP Bridge / Matter Bridge)
L5 Capability interfaces & twins (DTDL v3 subset Interface / Twin reported/desired/delta)
L4 Device abstraction (Thing / Endpoint / PartsList / DeviceType / Matter skeleton)
L3 Identity & trust (per-Thing x509 cert + SPIFFE ID + Matter NOC + CAEP)
L2 Protocol adapters (Matter / ESPHome / Zigbee / Modbus / MQTT / BLE)
L1 Transport floor (ESP-WIFI-Mesh / WiFi / Thread / Ethernet / Serial)
+ Phase 3.5 time-before-trust sync
For the full chapter map, see aegis/.prd/ZT-Edge-v3/overview.md §F.
Every layer has a paired phase doc (phases/phase-N-*.md) and
governance asset (ADR, threat model, risk register).
Data model (L4 / L5)
The HA “Entity + domain + features” bag model is retired and replaced with a subset of Azure DTDL v3 plus the Matter node model:
| Concept | What | Identifier |
|---|---|---|
| Thing | Physical device / bridged sub-device | urn:rshome:thing:<uuid-v7> |
| Endpoint | Functional endpoint on a Thing (Matter ep_id) | ep_id: u16 |
| InterfaceDefinition | Strongly-typed capability contract (DTDL v3 subset) | dtmi:rshome:cap:OnOff;1 |
| Twin | reported / desired / delta triple | per (ThingId, ep_id) |
| Space | Physical space (Site/Building/Storey/Room) | urn:rshome:space:<uuid> |
| Relationship | LocatedIn / HasPart / Feeds / ControlledBy | explicit edges |
extends rule (ADR-022): a new version (;1→;2) may only append
Optional fields; a breaking change requires a new DTMI, and the old
one is marked deprecated: true and kept for 12 months.
InterfaceDefinition schema stability SLO: ≥24 months no-break.
Hardware tiers (Tier-S / Tier-M / Tier-L)
| Axis | Tier-S | Tier-M | Tier-L |
|---|---|---|---|
| Reference HW | ESP32-S3 WROOM-1-N16R8 | RPi4 / Orange Pi 5 / OpenWRT mini PC | x86 mini PC (≥4C8G) / RK3588 4GB+ |
| RAM | 512 KB SRAM + 8 MB PSRAM | 2 GB+ | 4 GB+ |
| Scale ceiling | 100 Thing / 300 endpoint / 20 mTLS | 500 Thing / 2000 endpoint | 5000 Thing / 50 space |
| HA | none | optional active-passive pair | required + witness |
| Semantic layer | downgraded SQLite triple | full Oxigraph | Oxigraph + OWL reasoning |
| TSDB | 15 min in-RAM rolling | local TimescaleDB | local + external replica |
| WASM | wasmi | wasmtime | wasmtime + multi-instance |
| Compliance | Dengbao L2 OK; L3 needs external audit | L2 directly; L3 OK | L2/L3 fully + Mi-Ping |
A full bastion on Tier-S is build.rs reject (ADR-036) — if you
want to run on ESP32, only three binary profiles are allowed:
sidecar (per-device L4 mTLS), bastion-lite (ADR-046, LAN-only ≤50
devices ESPHome-only), and tier-s-hopper (WireGuard client +
USB-NCM). “A complete fully-autonomous Tier-S home” is not in the
sales matrix — Tier-S is always the supporting role.
Protocol-adapter ecosystem (L2)
In v3, ESPHome is demoted from the main trunk to one of N adapters, peer with Matter / Zigbee / MQTT / Modbus / BLE.
| Crate | Status | Tier |
|---|---|---|
rshome-adapter-esphome | v3.0 GA | all |
rshome-adapter-matter | v3.0 GA (ADR-023) | all (Tier-S trimmed) |
rshome-adapter-mqtt-homie | v3.0 GA | all |
rshome-adapter-zigbee | v3.0 GA (via zigpy / z2m bridge) | Tier-M/L primary |
rshome-adapter-modbus | v3.0 beta | Tier-M/L |
rshome-adapter-ble | v3.0 beta | Tier-M/L |
rshome-adapter-zwave | v3.1 | Tier-M/L |
rshome-adapter-knx | v3.1 | Tier-M/L |
rshome-adapter-matter-bridge | v3.0 GA (external exposure) | all |
rshome-adapter-hap-bridge | v3.0 GA (external exposure) | all |
mTLS is mandatory, not optional. The ESPHome adapter requires
noise_psk from v1, not deferred to Phase 7. Zigbee itself does not
run mTLS, but the hub ↔ coordinator (UART/SPI) link must be wrapped
in mimi-crypto.
External surfaces (L6 / L9 / L10)
| Exit | Audience | Protocol |
|---|---|---|
| WoT TD 1.1 | any W3C-WoT client | .well-known/wot + mDNS _wot._tcp |
| HAP Bridge | Apple Home / HomeKit users | Bonjour + HAP |
| Matter Bridge | other Matter fabrics | Aggregator Endpoint + Bridged Nodes |
MCP (rshome.*) | AI agents (Claude / OpenClaw / Aegis Agent) | mTLS + DPoP dual-binding |
| CAEP | upstream / downstream federated IdPs | subscribe + publish |
| NGSI-LD | EU Data Spaces / smart-city | Tier-L, v3.1 |
The MCP toolset uses the rshome.* prefix (fixing rshome v2’s ha.*
naming collision) — rshome.things.list / introspect,
rshome.twins.update_desired / observe, rshome.workflows.run,
rshome.policy.evaluate-dry-run, rshome.approvals.pending / grant / deny (dual control), etc. The number of tools is not fixed;
it derives from the capability model.
Compliance
| Standard | Tier requirement | Status |
|---|---|---|
| Dengbao 2.0 L2 | Tier-M+ | Fully covered |
| Dengbao 2.0 L3 | Tier-M (possible) / Tier-L (direct) | Fully covered |
| Mi-Ping GM/T 0054 | Tier-M+ + GM USB Key (SJJ1622) | Fully covered |
| NIST 800-207 | all | Fully covered |
| CISA ZTMM v2 | all | Fully covered |
| IEC 62443-3-3 SL-2 | Tier-M+ | Fully covered |
| FIPS 140-3 validation | — | v4 only; v3.0 not validated |
| Dengbao L4 / classified | — | Never (NG6) |
Non-Goals (important reverse declarations)
- NG1 Not a ZTNA product
- NG2 No SaaS / managed cloud
- NG3 No hard-real-time PLC control (soft real-time ≤ 100 ms is fine)
- NG4 No TSN (time-sensitive networking)
- NG5 No multi-tenant / multi-home in v3.0 (v4 federation)
- NG6 No Dengbao L4 or higher target
- NG7 No FIPS 140-3 validation target
- NG8 No HA-style UI richness (declarative + GitOps is the UX)
- NG9 No cloud aggregation / WAN device discovery in v3.0 (LAN first)
- NG10 rshome-generated firmware does not require the Aegis sidecar (sidecar is an optional build profile)
See also
aegis/.prd/ZT-Edge-v3/overview.md— the ~2200-line canonical PRD (source of truth)aegis/.prd/ZT-Edge-v3/manifest.md— PRD package layout + persona reading routesaegis/.prd/ZT-Edge-v3/governance/adr-index.md— ADR-020..049 indexaegis/.prd/ZT-Edge-v3/phases/phase-*.md— per-phase implementation detail- IoT Device Tooling — the device-side domain classification for rshome; Famulus-Domus is its host control plane + security depth
- Vehicle & Aircraft Control — the adjacent domain that Famulus-Domus does not cover