SecurityPoP pairing / TLS MQTT / signed OTA / on-hub safety

Security built into the appliance model.

AGS is not a cloud-only gadget. Pairing requires proof-of-possession, each hub gets scoped MQTT credentials over TLS, firmware is signed, and the on-hub safety stack includes e-stop, watchdog, and secure boot paths — so the room can fail safe.

See trust See updates

AGS proof of possession pairing — **Physical-access step before credentials ship.**

Layers

From first pairing to firmware trust.

Pairing

Proof-of-possession required

BLE provisioning uses Security1 (X25519 + AES-CTR) with proof-of-possession. Adding a hub requires physical access — not a silent cloud claim.

Transport

Per-device MQTT over TLS

Each hub receives scoped MQTT credentials. Telemetry and commands travel over TLS 1.3 on user-scoped topics — not a shared broker password.

Firmware

Signed images and trust bundle

OTA images are signed. A rotatable Ed25519 trust bundle in NVS supports certificate rotation without bricking deployed hubs.

On-hub safety

E-stop, watchdog, secure boot

Hardware enable, brownout monitoring, watchdog, and e-stop are part of the firmware safety stack — the room can fail safe even when automation is aggressive.

Proof

Security surfaces in the app today.

AGS BLE provisioning — **Controlled first connection with PoP in the app flow.**

AGS proof of possession step — **Physical-access pairing step before credentials ship.**

AGS login screen — **EU-hosted accounts with tier entitlements on profile.**

Commercial

EU-hosted accounts with clear ownership.

Data residency, per-device credentials, and visible change history are part of the commercial product — not an enterprise upsell.

See trust Reserve hardware